Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbrowndcm
New Contributor III

Created on ‎05-23-2011 08:27 AM

Odd " reverse path check fail, drop" , no ICMP replies from interface

Hello, I am having a strange issue that when I ping the interface of the firewall, I do not receive an echo reply (" PING" to the interface is enabled). Tracing the flow, I see the following message: " reverse path check fail, drop" Performing some research, I saw this KB: http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30543 This is not the case at all: My host is 192.168.20.20, the firewall interface is 192.168.20.1. I do have restrictive firewall policies in place, specifically to deny anything across the firewall incoming on the port, but not to the port. Why would this be occurring? Thanks, Matt [edit] Found the issue :D # get router info routing-table all C 192.168.20.1/32 is directly connected, internal2 Apparently, something isn' t configured correctly... [edit 2] The netmask of the interface was configured as /32, it should have been /24. # get router info routing-table all C 192.168.20.0/24 is directly connected, internal2 [edit 3] Now I' m getting " iprope_in_check() check failed, drop" http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31702 PING enabled on interface: Yes Ingress host match: Yes Traversing firewall interfaces: No hmmm.....
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
3926
0 Kudos
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Created on ‎05-23-2011 09:16 AM

Hi, either " restriced hosts" is set and does not match your source IP (netmask?), or mgmt is enabled on one interface, you get in via a different interface and there is no policy allowing this. The " /32" host route is a very nice example for the reverse path check failure: there was no route for .20.20 as this address was not included. Works as expected. But I' ve stumbled upon this one many times before.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1549
0 Kudos
mbrowndcm
New Contributor III

Created on ‎05-24-2011 06:50 AM

Sure enough... In order to PING an interface, the host needs to be allowed in System> Admin> Administrators> a logon username> add host here Why have (part of) the ACL for ICMP on the interface there? Who knows! Thanks, Matt
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
1549
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-24-2011 07:37 AM

it' s not a bug...it' s a feature! You' ll find this in many places of the FortiOS: they try to separate options that control different scopes. In your case, the interface options control the overall accessibility, namely the allowed services - regardless of user or user priviledge. In the user options you (may) specify additional restrictions based on the source IP or source subnet of this user. So, service on one hand and (kind of) user-based ACL on the other. Both couldn' t be thrown together on one page without mixing global and user scope. Glad it works for you now.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1549
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.