Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPv6 and RPF
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPv6 and RPF
I have a somewhat working setup on a 91G running 7.4.8, that I am struggling with. Sometimes it works fine, now it doesn't. I have IA-PD from my ISP, and it seems to be correct. I have three interfaces on LAN side that gets each their own /64:
lan (shortened)
ip6-mode :
nd-mode : basic
ip6-address : 2a01:xxxx:161f:670a::1/64
ip6-allowaccess : ping https ssh
ip6-prefix-mode : dhcp6
dhcp6-prefix-delegation: disable
dhcp6-information-request: disable
ip6-delegated-prefix-iaid: 1
ip6-upstream-interface: Vlan102
ip6-subnet : ::a:0:0:0:1/64
The other interfaces have :b: and :c: respectively. Now, when it doesn't work I see that the FortiGate claims there be an RPF check error:
id=65308 trace_id=1 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=58, 2a01:xxxx:161f:6700:4d1d:8bf:981b:5e94:1423->2a01:xxxx:161f:670a::1:128) from lan. type=128, code=0, id=1423, seq=0."
id=65308 trace_id=1 func=resolve_ip6_tuple line=5260 msg="allocate a new session-00000290"
id=65308 trace_id=1 func=ip6_route_input line=2197 msg="reverse path check failed, drop"
I do see that it lists /128 as mask. Is this correct? The interface itself is /64. I've tried to enable asymroute without any luck. The FortiGate can ping fine.
fortigate # execute ping6 google.com
PING google.com(2a00:1450:400f:803::200e) 56 data bytes
64 bytes from 2a00:1450:400f:803::200e: icmp_seq=1 ttl=120 time=8.85 ms
64 bytes from 2a00:1450:400f:803::200e: icmp_seq=2 ttl=120 time=8.85 ms
^C
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Could you please check the FortiGate the traffic is receiving which interface and check the reverse for that destination network route is present or not
reverse path will occurs when the route is not present when the traffic is receiving in initial interface
please refer this document:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-For...
Also, provide the below output to the ticket
======================================
dia ipv6 address list
dia sniffer packet any "host <ipv6 addrs>" 4 0 a
then provide the debug flow out to the ticket
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fortigate # diagnose ipv6 address list | grep =lan
dev=31 devname=lan flag= scope=0 prefix=64 addr=2a01:799:161f:670a::1 preferred=25205 valid=25205 cstamp=11901 tstamp=1231606
dev=31 devname=lan flag=P scope=253 prefix=64 addr=fe80::3ac0:eaff:fea9:b37f preferred=4294967295 valid=4294967295 cstamp=5552 tstamp=5552
fortigate # di sniffer packet lan 'host 2a01:799:161f:670a::1' 4 0 l
interfaces=[lan]
filters=[host 2a01:799:161f:670a::1]
2025-06-19 20:38:11.683192 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 0 [flowlabel 0xd0a00]
2025-06-19 20:38:12.683371 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 1 [flowlabel 0xd0a00]
2025-06-19 20:38:13.688726 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 2 [flowlabel 0xd0a00]
2025-06-19 20:38:14.691310 lan -- 2a01:799:161f:6700:4d1d:8bf:981b:5e94 -> 2a01:799:161f:670a::1: icmp6: echo request seq 3 [flowlabel 0xd0a00]
^C
4 packets received by filter
0 packets dropped by kernel
fortigate # get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, B - BGP, V - BGP VPNv6
> - selected route, * - FIB route, p - stale info
Timers: Uptime
Routing table for VRF=0
S ::/0 [10/0] via ::, Vlan102, 04:27:24, [1024/0]
K *> ::/0 via fe80::201:2ff:fe61:1, Vlan102, 04:27:24
C *> ::1/128 via ::, root, 04:27:24
C *> 2a01:798:100:5800:4543:311b:756a:459/128 via ::, Vlan102, 04:27:02
C *> 2a01:799:161f:670a::/64 via ::, lan, 04:27:02
fortigate # di de flow filter6 daddr 2a01:799:161f:670a::1
fortigate # di de en
fortigate # di de flow trace start6 4
fortigate # id=65308 trace_id=11 func=resolve_ip6_tuple_fast line=5109 msg="vd-root:0 received a packet(proto=58, 2a01:799:161f:6700:4d1d:8bf:981b:5e94:7266->2a01:799:161f:670a::1:128) from lan. type=128, code=0, id=7266, seq=0."
id=65308 trace_id=11 func=resolve_ip6_tuple line=5260 msg="allocate a new session-0000293b"
id=65308 trace_id=11 func=ip6_route_input line=2197 msg="reverse path check failed, drop"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see that the DHCP server might not do what it should;
The interface IP is 2a01:xxx:161f:670a::1/64, but the client got
2a01:xxx:161f:6700:...
The server is quite straight-forward
config system dhcp6 server
edit 1
set subnet ::/64
set interface "lan"
set upstream-interface "Vlan102"
set delegated-prefix-iaid 1
set ip-mode delegated
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::8844
next
and for the upstream interface I got
ipv6:
ip6-mode : dhcp
DHCPv6 Lease Expires :Fri Jun 20 15:36:45 2025
nd-mode : basic
ip6-address : 2a01:xxx:100:5800:4543:311b:756a:459/128
ip6-allowaccess : ping
icmp6-send-redirect : enable
ra-send-mtu : enable
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
dhcp6-prefix-delegation: enable
delegated-prefix iaid 1 : 2a01:xxx:161f:6700::/56
so the server doesn't consider the interface IP?
Created on 06-19-2025 11:17 PM Edited on 06-19-2025 11:18 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Output from the dhcp6s process
fortigate # di de app dhcp6s -1
Debug messages will be on for 20 minutes.
fortigate # di de en
fortigate # execute dhcp6 lease-clear all
[debug]dhcp6_check_timer() called
[debug]dhcp6_check_timer() called
[debug]dhcp6_check_timer() timer func=0x5572669f78
[debug]binding_save_timo() called binding_changed=0
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() called
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() called
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() called
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() called
[debug]dhcp6_check_timer() called
[debug]dhcp6_check_timer() timer func=0x5572671fc8
[debug]dhcp6s_ha_dump_timeo() called
[debug]dhcp6_check_timer() called
[debug]dhcp6_check_timer() timer func=0x5572669f78
[debug]binding_save_timo() called binding_changed=0
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() called
[debug]server6_recv() called
[debug]server6_recv() received solicit from fe80::1cc7:14b5:5302:f5d8%lan
[debug]server6_recv() dhcp6 solicit: search ifp lan's subnet against interface address=2a01:xxx:161f:670a::1
[debug]dhcp6_check_timer() calledThe client still gets an IP outside the interface subnet:
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6464<VLAN_MTU,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 64:4b:f0:37:54:f8
inet6 fe80::1cc7:14b5:5302:f5d8%en4 prefixlen 64 secured scopeid 0x10
inet 192.168.1.110 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2a01:xxx:161f:6700:101b:9552:2fbf:5a6d prefixlen 64 autoconf secured
inet6 2a01:xxx:161f:6700:15fa:a47e:30f6:8d53 prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,flow-control>)
status: active
Labels
-
FortiGate
10,495 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.