IP options: "0x14" error?

Unanswered Question
Jul 2nd, 2008
User Badges:

Getting some of these in my syslog.


Deny IP from 10.122.25.52 to 10.63.30.12, IP options: "0x14"



This pix on 10.122.x.x subnet is connected to another via IPsec. OS is 6.3.x. The two endpoints are video conf systems pushing h323 video between via the ipsec tunnel. Video between the units works 100%, I just don't like seeing these errors. The other pix on the 10.63.x.x network has the same errors that match the other endpoint





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Thu, 07/03/2008 - 11:56
User Badges:
  • Silver, 250 points or more

The following statement:


This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.


... is from the document:


http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.pdf


Search on the phrase "106012" to find it, and more.



The following link provides more info on IP Option Numbers:


http://www.iana.org/assignments/ip-parameters



The following RFC deals specifically with the IP Router Alert Option:


http://www.ietf.org/rfc/rfc2113.txt


You could put a sniffer on the link if you want a closer look (source, destination, application, etc.).


dmooreami Mon, 07/07/2008 - 05:21
User Badges:

That makes sense, it is an H323 video conference conversation and I can use Ip presidence if I want to. So yes, the packet does have Ip options, as it should.


Any idea how to remove this block and allow it?

michael.leblanc Mon, 07/07/2008 - 12:39
User Badges:
  • Silver, 250 points or more

IP Precedence and IP Options are not the same thing.


IP Precedence is conveyed in the Type of Service (TOS) field in the IP header.


The Options field follows the destination IP address field in the IP header, and is used for entirely different purposes.


You'd have to examine the packets with a sniffer to verify what they are in order to make an informed decision on whether they should be unblocked, or not.


dmooreami Mon, 07/07/2008 - 12:41
User Badges:

Yep, they need to be unblocked. they are my two h323 enpoints going in/out of my ipsec tunnel.

Actions

This Discussion