Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hsharma
Staff
Staff

Created on ‎12-13-2024 07:07 AM Edited on ‎03-30-2025 11:20 PM By Community Manager

Article Id 363766

Troubleshooting Tip: Unable to access secondary unit GUI in HA Reserved Management Interface due to Reverse Path Check Fail Drop.

Description This article describes how to resolve an issue where the user is not able to access a secondary FortiGate GUI interface and receiving the 'reverse path check fail drop' error in debugs.
Scope FortiGate.
Solution

If FortiGate is in the HA cluster and the primary device is accessible through HA Reserved Management interface but the secondary device is not accessible through the GUI, run the following debug commands on the secondary unit. The errors below will be shown:

 

diagnose debug reset

diagnose debug flow filter addr 192.168.x.x 172.23.y.y and

diagnose debug flow filter port 443

diagnose debug console timestamp enable

diagnose debug flow trace start 1000

diagnose debug enable

 

d=65308 trace_id=1 func=print_pkt_detail line=5836 msg="vd-vsys_hamgmt:0 received a packet(proto=6, 192.168.x.x :57291->
172.23.y.y:443) tun_id=0.0.0.0 from mgmt. flag [S], seq 1914806621, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6020 msg="allocate a new session-0db4a0d8"
id=65308 trace_id=1 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=1 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=2 func=print_pkt_detail line=5836 msg="vd-vsys_hamgmt:0 received a packet(proto=6, 192.168.x.x:57292->172.23.y.y:
443) tun_id=0.0.0.0 from mgmt. flag [S], seq 2076504493, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=6020 msg="allocate a new session-0db4a0d9"
id=65308 trace_id=2 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=2 func=ip_session_handle_no_dst line=6106 msg="trace"

 

To disable debugs:

 

diagnose debug disable

diagnose debug reset

 

This issue appears to be due to the gateway not being configured under HA configuration on the secondary FortiGate.

 

To resolve the issue, follow the steps below:

 

  1. Go to the CLI of the secondary unit.

To connect to the slave FortiGate, proceed with the following command in the CLI:

 

execute ha manage <HA cluster index of the secondary unit> <username> <password>

 

  1. Specify the gateway IP address under HA configuration.

 

config system ha
    set ha-mgmt-status [enable|disable]

        config ha-mgmt-interface

            edit 1

                set interface <interface name>

                set gateway <x.x.x.x.> <- The gateway should be the same as the primary unit.

            next

end

 

After specifying the Gateway, the Secondary unit GUI should be accessible.

 

For more details about the HA Reserved Management Interface, refer to this KB articleL Technical Tip: HA Reserved Management Interface.
759
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.