Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JLopezM22
New Contributor II

Created on ‎07-05-2022 05:30 AM

error - reverse path check fail, drop

Hi everyone

 

We're trying to connect 2 sites with an VPN IPSEC. with the tunnel up and working. we have the next issue:

 

Scenario:

Triying to connect 192.168.0.102 --> 10.58.152.10

Having the following issue:

JLopezM22_0-1657024143582.png

 

Anyone can help please?

Labels:
9131
0 Kudos
1 Solution
JLopezM22
New Contributor II

Created on ‎07-06-2022 12:13 PM

Finally solved restoring backup :)

View solution in original post

9052
0 Kudos
7 REPLIES 7
sagha
Staff
Staff

Created on ‎07-05-2022 07:27 AM

Hi, 

 

Please provide the output for the following: 

 

get router info routing-table details 192.168.0.102 

get router info routing-table details 10.58.152.10

 

Once you share these outputs, we can clarify what might be going wrong here.

 

Thank you. 

Shahan

 

9116
JLopezM22
New Contributor II
In response to sagha

Created on ‎07-05-2022 08:38 AM

 

Routing table for VRF=0
Routing entry for 192.168.0.0/22
Known via "connected", distance 0, metric 0, best
* is directly connected, VLAN-A.

 

FGT01 (root) ## get router info routing-table details 10.58.152.1

Routing table for VRF=0
Routing entry for 10.58.152.0/24
Known via "static", distance 10, metric 0
10.58.152.1, via port14

Routing entry for 10.58.152.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port14

9108
0 Kudos
sagha
Staff
Staff
In response to JLopezM22

Created on ‎07-06-2022 01:55 AM

Hi, 

 

If you could see that there is no route for 192.168.0.102 via IPsec Interface, that is why you are seeing reverse path check. 

 

Routing table for VRF=0
Routing entry for 192.168.0.0/22
Known via "connected", distance 0, metric 0, best
* is directly connected, VLAN-A.

 

You are receiving the traffic from source interface IPsec and you should also have a route that points at the Ipsec interface for 192.168.0.102. 

 

Please add a static route and it should fix this. 

 

Thanks, 

Shahan

9091
0 Kudos
JLopezM22
New Contributor II
In response to sagha

Created on ‎07-06-2022 03:58 AM

now i have the following

 

KS-SS-01 (root) # get router info routing-table details 192.168.0.102

Routing entry for 192.168.0.0/22
  Known via "connected", distance 0, metric 0, best
  * is directly connected, VLAN_A
  * is directly connected, VLAN_A
  * is directly connected, VLAN_A

Routing entry for 192.168.0.0/22
  Known via "static", distance 10, metric 0
    directly connected, IPSEC-A

 

KS-SS-01 (root) # get router info routing-table details 10.58.152.10

Routing table for VRF=0
Routing entry for 10.58.152.0/24
  Known via "static", distance 9, metric 0
    10.58.152.1, via port14

Routing entry for 10.58.152.0/24
  Known via "connected", distance 0, metric 0, best
  * is directly connected, port14

9082
0 Kudos
sagha
Staff
Staff
In response to JLopezM22

Created on ‎07-06-2022 06:11 AM

Hi, 

 

I would suggest adding a more specific route as in this case connected route via VLAN_A would be preferred. May be you can test with adding a route only for 192.168.0.102/32. 

 

Thanks, 

Shahan

9071
0 Kudos
sagha
Staff
Staff

Created on ‎07-05-2022 07:29 AM

Hi, 

 

You can also check the following article for details: https://community.fortinet.com/t5/FortiGate/Technical-Note-Details-about-FortiOS-RPF-Reverse-Path-Fo...


Thank you. 

Shahan

9115
0 Kudos
JLopezM22
New Contributor II

Created on ‎07-06-2022 12:13 PM

Finally solved restoring backup :)

9053
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.