Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hsharma
Staff
Staff

Created on ‎12-13-2024 07:07 AM

Article Id 363766

Troubleshooting Tip: Unable to access secondary unit GUI in HA Reserved Management Interface due to Reverse Path Check Fail Drop.

Description This article describes how to resolve an issue where the user is not able to access a secondary FortiGate GUI interface and receiving the 'reverse path check fail drop' error in debugs.
Scope FortiGate.
Solution

If FortiGate is in the HA cluster and the primary device is accessible through HA Reserved Management interface but the secondary device is not accessible through the GUI, run the following debug commands on the secondary unit. The errors below will be shown:

 

di de dis

di de flow filter addr 192.168.x.x 172.23.y.y and

di de flow filter port 443

diag debug console timestamp enable

diag debug flow trace start 1000

diag debug en

 

d=65308 trace_id=1 func=print_pkt_detail line=5836 msg="vd-vsys_hamgmt:0 received a packet(proto=6, 192.168.x.x :57291->
172.23.y.y:443) tun_id=0.0.0.0 from mgmt. flag [S], seq 1914806621, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6020 msg="allocate a new session-0db4a0d8"
id=65308 trace_id=1 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=1 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=2 func=print_pkt_detail line=5836 msg="vd-vsys_hamgmt:0 received a packet(proto=6, 192.168.x.x:57292->172.23.y.y:
443) tun_id=0.0.0.0 from mgmt. flag [S], seq 2076504493, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=6020 msg="allocate a new session-0db4a0d9"
id=65308 trace_id=2 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=2 func=ip_session_handle_no_dst line=6106 msg="trace"

 

This issue appears to be due to the gateway not being configured under HA configuration on the secondary FortiGate.

 

In order to resolve the issue, follow the steps below:

 

  1. Go to the CLI of the secondary unit.

To connect to the slave FortiGate, proceed with the following command in the CLI:

 

execute ha manage <HA cluster index of slave> <username> <password>

 

 

  1. Specify the gateway IP address under HA configuration.

 

 

config system ha
    set ha-mgmt-status [enable|disable]

        config ha-mgmt-interface

            edit 1

                set interface <interface name>

                set gateway <x.x.x.x.> <- The gateway should be the same as the primary unit.

            next

        end

 

After specifying the Gateway, the Secondary unit GUI should be accessible.

 

For more details about the HA Reserved Management Interface, refer to Technical Tip: HA Reserved Management Interface.
108
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.