Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smacco
Staff
Staff

Created on ‎03-18-2025 11:08 AM

Article Id 383003

Troubleshooting Tip: FortiGate RPF failure for FortiManager traffic

Description This article describes how to handle the RPF failure for FortiManager traffic if the fmg-source-ip is misconfigured.
Scope FortiGate VM, FortiGate Physical Appliances.
Solution

Symptoms:

 

Branch1 # 
id=65308 trace_id=111 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=1, 10.10.244.97:6707->10.140.64.1:2048) tun_id=10.1 82.90.1 from OL-M1-H1. type=8, code=0, id=6707, seq=0."
id=65308 trace_id=111 func=init_ip_session_common line=6055 msg="allocate a new session-00001685"
id=65308 trace_id=111 func=ip_route_input_slow line=1696 msg="reverse path check fail, drop"

 

In this setup, there are two branch FortiGates and one Hub, all configured with SD-WAN.

As shown in the diagram, the FortiGate (Branch1) is configured to use the LAN interface IP (10.140.64.1) as the source address for communication with FortiManager.

The LAN subnet is advertised via BGP to all participating peers—eBGP on the underlay and iBGP on the overlay.

In this scenario, traffic destined for FortiManager is preferred via the underlay. However, since the configuration specifies a source IP that is expected to be routed through the overlay, the traffic fails the Reverse Path Forwarding (RPF) check, as it is essentially considered spoofed.

 

Screenshot 2025-03-18 175412.png

 

Analysis:

 

As shown, the traffic is going out through the underlay (port1):

 

Branch1 # diagnose sniffer packet any "host 10.10.244.97" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.10.244.97]
2025-03-18 17:36:08.830226 port1 out 10.140.64.1.3377 -> 10.10.244.97.541: syn 1622954178
2025-03-18 17:37:32.326987 port1 out 10.140.64.1.6723 -> 10.10.244.97.541: syn 1659305991
2025-03-18 17:37:33.390237 port1 out 10.140.64.1.6723 -> 10.10.244.97.541: syn 1659305991
2025-03-18 17:37:35.470194 port1 out 10.140.64.1.6723 -> 10.10.244.97.541: syn 1659305991

 

Resolution:

 

Removing the fmg-source-ip or configuring the appropriate IP will solve the problem.

 

Branch1 (central-management) # show
config system central-management
set type fortimanager
set fmg "10.10.244.97"
set fmg-source-ip 10.140.64.1
set enc-algorithm default
end

Branch1 (central-management) # unset fmg-source-ip

Branch1 (central-management) # end

Branch1 # 
id=65308 trace_id=115 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=6, 10.10.244.97:541->10.189.33.30:7210) tun_id=0.0.0.0 from port1. flag [S.], seq 399929127, ack 342692521, win 64240"
id=65308 trace_id=115 func=resolve_ip_tuple_fast line=5958 msg="Find an existing session, id-00004a9b, reply direction"
id=65308 trace_id=115 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=116 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=6, 10.10.244.97:541->10.189.33.30:7210) tun_id=0.0.0.0 from port1. flag [.], seq 399929128, ack 342693500, win 63"
id=65308 trace_id=116 func=resolve_ip_tuple_fast line=5958 msg="Find an existing session, id-00004a9b, reply direction"

 

Note:

 

Enabling the asym-routing or turning off the RPF check under the interface settings, will not solve this problem.
538
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.