I have a Fortigate 1240B with a vlan interface with IP 172.22.0.27/16. When a host directly connected try to ping my IP, I got the messages below.
id=36871 trace_id=2 func=resolve_ip_tuple_fast line=3788 msg="vd-root received a packet(proto=1, 172.22.0.3:49->172.22.0.27:8) from port30." id=36871 trace_id=2 func=resolve_ip_tuple line=3928 msg="allocate a new session-01450d77" id=36871 trace_id=2 func=ip_route_input_slow line=1277 msg="reverse path check fail, drop" id=36871 trace_id=2 func=ip_session_handle_no_dst line=3964 msg="trace"
The ping is enable on the interface and I already tried to enable asymroute.
Best Answer
(This question seems to be stale but might be found while searching anyway.)
The debug message indicates that the Fortigate drops this traffic as being from an unknown source net. This is called the Reverse Path Check or anti-spoofing feature. The absence of other messages here signifies that a route to the source network for this packet is missing, which can be
- either a directly connected subnet on a port or - a route statically assigned or learned by a routing protocol
So your first action would be to look into the Routing Monitor (not the routing table!) which is showing the active routes. You can access it either from the GUI (System>Router>Monitor) or from the CLI with the command listed above by @Puglet.
If there is a route back to the source subnet then check if there is a valid policy to allow this traffic.
You can research these symptoms in the Fortinet Knowledgebase which is publically accessible at http://kb.fortinet.com. For instance, look up http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD35076 for RPF.