FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor
Article Id 358875
Description This article describes how to troubleshoot routing issues caused by a bad source IP address. Using an IP address which is considered reserved, such as a 'network address' (e.g. 192.168.1.0 on a /24 network), or a 'broadcast address' (e.g. 192.168.1.255 on a /24 network) can result in routing issues. FortiOS will mark these IPs as bad sources and subsequently drop the packet.
Scope FortiOS.
Solution

The scenario:

This issue can occur  in a Hub and spoke topology, where an IP address assignment to the VPN client (spokes) is done dynamically by the HUB. It can also happen with manual assignment, if the IP address assigned to the VPN tunnel is like the one described below.

In the client address range in the screenshot below (configuration), if 0 – 251 of the last octet of the /24 subnet is configured, a client or spoke can have the IP address 10.253.1.0 assigned to it.

This IP address will cause this type of issue.

 

Client-IP-Range.png

 

The error:

The error message 'reverse path check fail(bad src),drop' will be seen in the 'debug flow' logs.

 

Command for taken/collecting 'debug flow' logs:

 

diagnose debug enable

diagnose debug flow filter aadr x.x.x.x  <- IP assigned to the spoke site with routing issue.

diagnose debug console timestamp enable

diagnose debug flow show iprope enable

diagnose debug flow show function-name enable

diagnose debug flow trace start 999

diagnose debug enable

 

Alternate scenario:

The DHCP range provides the subnet IP address for leasing:

 

Screenshot 2025-04-23 194417.jpg

 

Screenshot 2025-04-23 194434.jpg

 

The first IP address provided by the FortiGate for leasing is the same IP address as the subnet IP 192.168.100.224.

 

The root cause:

Unlike routing issue with an error message msg='reverse path check fail, drop' which is caused by asymmetric routing, the error message in this article (bad src) is not caused by asymmetric routing, but a bad source IP (e.g. 192.168.1.0. This is expected to be a reserve IP, the network IP).

 

The spoke site assigned with IP 192.168.1.0 can face errors such as 'down health-check, BGP peering issue'.

 

The fix:

Change the IP assignment on the HUB from 0 – 251 to something like 10 – 251 on the fourth octet of the /24 subnet.