Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

UDP reverse path check


ASA running 8.2(5).

When I enable ip spoofing on my network interfaces I see this getting logged:

Deny UDP reverse path check from to on interface SPECTRA-LAN

This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip but the interface do not have a ip address so it does not exist in the routing table I believe?

However interface INTERN do also belong to network which also is the management interface and the default route for hosts in network, but has no vlan.

How do I solve this?

1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip

2. give SPECTRA-LAN a ip address in the range?

3. or ??

My routing table and interface list is:

Current available interface(s):

  DATA-BACKUP     Name of interface Redundant1.10

  DMZ             Name of interface Redundant1.900

  GUEST           Name of interface Redundant1.990

  HOSTING         Name of interface Redundant1.100

  Infrastruktur   Name of interface Redundant1.20

  Intern          Name of interface Management0/0

  OUTSIDE-BACKUP  Name of interface Redundant1.998

  PHONE           Name of interface Redundant1.200

  SPECTRA-LAN     Name of interface Redundant1.50

  outside         Name of interface Ethernet0/3

Gateway of last resort is to network

C is directly connected, DMZ

S [1/0] via, outside

S [1/0] via, outside

S    VPN-hosting [1/0] via, outside

C is directly connected, outside

S [1/0] via, outside

C is directly connected, GUEST

C is directly connected, Intern

S [5/0] via, Intern

S [10/0] via, Intern

C is directly connected, PHONE

C is directly connected, Infrastruktur

C is directly connected, DATA-BACKUP

C is directly connected, HOSTING

S* [1/0] via, outside

S [5/0] via, HOSTING



Everyone's tags (3)
Cisco Employee

UDP reverse path check

The reason why you are seeing that error message is because is connected to the wrong subnet/VLAN. It should have been connected to the Intern subnet/VLAN, however, it has incorrectly assigned/conencted to SPECTRA-LAN subnet.

Just configure host correctly by assigning it to the correct VLAN, and you won't have that error anymore.

You can't have 2 VLANs in the same subnet.

New Member

Re: UDP reverse path check

As far as I can see it is not the case where I have 2 vlans in the same subnet.

Looking in ASDM I see:

Management0/0 interface = security level 100 = Intern = native vlan (ip address

Redundant1.50 interface = security level 100 = SPECTRA-LAN = vlan50 (no ip address)

Subnet must belong to vlan50.

Redundant1 is ethernet0/0 and ethernet0/1. Configuration allows communication between interfaces with same security level. All acl policies from subnet is bound to interface and acl from allows all traffic to any less secure network.

I´m currently not sure how the fysical cabling is connected, but I´ll have to look as it seems traffic from subnet can come in from both management0/0 and the redundant interfaces eth0/0 + eth0/1 ??

Does this make sence at all ?


Cisco Employee

Re: UDP reverse path check

As per your above statement, belongs to native vlan (Intern), not vlan50 (SPECTRA-LAN).

Eventhough SPECTRA-LAN is not configured with any ip address, the subnet can't belong to this vlan50 as it already belong to Intern (native vlan) subnet.

CreatePlease to create content