Skip to main content
paulism
paulism
New Member
June 19, 2025
Question

IPv6 and RPF

  • June 19, 2025
  • 1 reply
  • 766 views

I have a somewhat working setup on a 91G running 7.4.8, that I am struggling with. Sometimes it works fine, now it doesn't. I have IA-PD from my ISP, and it seems to be correct. I have three interfaces on LAN side that gets each their own /64:

 

lan (shortened)

    ip6-mode            : 

    nd-mode             : basic 

    ip6-address         : 2a01:xxxx:161f:670a::1/64

    ip6-allowaccess     : ping https ssh 

    ip6-prefix-mode     : dhcp6 

    dhcp6-prefix-delegation: disable

    dhcp6-information-request: disable 

    ip6-delegated-prefix-iaid: 1

    ip6-upstream-interface: Vlan102 

    ip6-subnet          : ::a:0:0:0:1/64

 

The other interfaces have :b: and :c: respectively. Now, when it doesn't work I see that the FortiGate claims there be an RPF check error:

 

id=65308 trace_id=1 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=58, 2a01:xxxx:161f:6700:4d1d:8bf:981b:5e94:1423->2a01:xxxx:161f:670a::1:128) from lan. type=128, code=0, id=1423, seq=0."

id=65308 trace_id=1 func=resolve_ip6_tuple line=5260 msg="allocate a new session-00000290"

id=65308 trace_id=1 func=ip6_route_input line=2197 msg="reverse path check failed, drop"

 

I do see that it lists /128 as mask. Is this correct? The interface itself is /64. I've tried to enable asymroute without any luck. The FortiGate can ping fine.

 

fortigate # execute ping6 google.com

PING google.com(2a00:1450:400f:803::200e) 56 data bytes

64 bytes from 2a00:1450:400f:803::200e: icmp_seq=1 ttl=120 time=8.85 ms

64 bytes from 2a00:1450:400f:803::200e: icmp_seq=2 ttl=120 time=8.85 ms

^C

1 reply

knaveenkumar
Staff
knaveenkumar
Staff
June 19, 2025

Hi ,

 

Could you please check the FortiGate the traffic is receiving which interface  and check the reverse for that destination network route is present or not
reverse path will occurs when the route is not present when the traffic is receiving in initial interface 
please refer this document:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-Forwarding/ta-p/190100

 

Also, provide the below output to the ticket

======================================
dia ipv6 address list

dia sniffer packet any "host  <ipv6 addrs>" 4 0 a

then provide the debug flow out to the ticket

    paulism
    paulismAuthor
    New Member
    June 19, 2025

    fortigate # diagnose ipv6 address list | grep =lan

    dev=31 devname=lan flag= scope=0 prefix=64 addr=2a01:799:161f:670a::1 preferred=25205 valid=25205 cstamp=11901 tstamp=1231606

    dev=31 devname=lan flag=P scope=253 prefix=64 addr=fe80::3ac0:eaff:fea9:b37f preferred=4294967295 valid=4294967295 cstamp=5552 tstamp=5552

     

    fortigate # di sniffer packet lan 'host 2a01:799:161f:670a::1' 4 0 l

    interfaces=[lan]

    filters=[host 2a01:799:161f:670a::1]

    2025-06-19 20:38:11.683192 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 0 [flowlabel 0xd0a00]

    2025-06-19 20:38:12.683371 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 1 [flowlabel 0xd0a00]

    2025-06-19 20:38:13.688726 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 2 [flowlabel 0xd0a00]

    2025-06-19 20:38:14.691310 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 3 [flowlabel 0xd0a00]

    ^C

    4 packets received by filter

    0 packets dropped by kernel

     

    fortigate # get router info6 routing-table database

    IPv6 Routing Table

    Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,

           IA - OSPF inter area

           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

           E1 - OSPF external type 1, E2 - OSPF external type 2

           i - IS-IS, B - BGP, V - BGP VPNv6

           > - selected route, * - FIB route, p - stale info

    Timers: Uptime

     

    Routing table for VRF=0

    S       ::/0 [10/0] via ::, Vlan102, 04:27:24, [1024/0]

    K    *> ::/0 via fe80::201:2ff:fe61:1, Vlan102, 04:27:24

    C    *> ::1/128 via ::, root, 04:27:24

    C    *> 2a01:798:100:5800:4543:311b:756a:459/128 via ::, Vlan102, 04:27:02

    C    *> 2a01:799:161f:670a::/64 via ::, lan, 04:27:02

    fortigate # di de flow filter6 daddr 2a01:799:161f:670a::1

     

    fortigate # di de en

     

    fortigate # di de flow trace start6 4

     

    fortigate # id=65308 trace_id=11 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=58, 2a01:799:161f:6700:4d1d:8bf:981b:5e94:7266->2a01:799:161f:670a::1:128) from lan. type=128, code=0, id=7266, seq=0."

    id=65308 trace_id=11 func=resolve_ip6_tuple line=5260 msg="allocate a new session-0000293b"

    id=65308 trace_id=11 func=ip6_route_input line=2197 msg="reverse path check failed, drop"

    Terms & ConditionsAccessibility statement