Troubleshooting RPF Reverse Path

Check your router specifications to ensure it meets all the prerequisites required to successfully use reverse path forwarding. In your router's settings panel, make sure that Cisco Express Forwarding or distributed Cisco Express Forwarding is enabled. This is a primary cause of RPF errors. Because different router manufacturers use different setting panels, it may be necessary to refer to your specific router's user manual.

Add a classification deny access list to any interface that is known to drop packets. In a terminal screen type “Router# show ip interface {type/slot/port} | include verif” and copy the output into a text editor. Save the text to your desktop. In terminal type “Router (config-if)# ip verify unicast source reachable-via any 199” to apply the access list to the interface that is dropping the packets.

Run RPF checking if an interface is returning NAT errors. NAT errors are typically caused by traffic looping in one way and being sent the opposite direction by the router. NAT errors also are a great cause for RPF failure. Typing “ip verify reverse-path interface outside” on the command line in your terminal will run RPF checking on the interface. The “ip verify reverse-path interface outside” command is commonly used in conjunction with “ip verify reverse-path interface inside” command. In this case, the “inside” command is not necessary, as we are only trying to prevent outside attacks from the Internet.