Description | This article describes how to troubleshoot routing issues caused by a bad source IP address. Using an IP address which is considered reserved, such as a 'network address' (e.g. 192.168.1.0 on a /24 network), or a 'broadcast address' (e.g. 192.168.1.255 on a /24 network) can result in routing issues. FortiOS will mark these IPs as bad sources and subsequently drop the packet. |
Scope | FortiOS. |
Solution |
The scenario: This issue can occur in a Hub and spoke topology, where an IP address assignment to the VPN client (spokes) is done dynamically by the HUB. It can also happen with manual assignment, if the IP address assigned to the VPN tunnel is like the one described below. In the client address range in the screenshot below (configuration), if 0 – 251 of the last octet of the /24 subnet is configured, a client or spoke can have the IP address 10.253.1.0 assigned to it. This IP address will cause this type of issue.
The error: The error message 'reverse path check fail(bad src),drop' will be seen in the 'debug flow' logs.
Command for taken/collecting 'debug flow' logs:
diagnose debug enable diagnose debug flow filter aadr x.x.x.x <- IP assigned to the spoke site with routing issue. diagnose debug console timestamp enable diagnose debug flow show iprope enable diagnose debug flow show function-name enable diagnose debug flow trace start 999 diagnose debug enable
Alternate scenario: The DHCP range provides the subnet IP address for leasing:
The first IP address provided by the FortiGate for leasing is the same IP address as the subnet IP 192.168.100.224.
The root cause: Unlike routing issue with an error message msg='reverse path check fail, drop' which is caused by asymmetric routing, the error message in this article (bad src) is not caused by asymmetric routing, but a bad source IP (e.g. 192.168.1.0. This is expected to be a reserve IP, the network IP).
The spoke site assigned with IP 192.168.1.0 can face errors such as 'down health-check, BGP peering issue'.
The fix: Change the IP assignment on the HUB from 0 – 251 to something like 10 – 251 on the fourth octet of the /24 subnet. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.