IP options: "0x14" error?

dmooreami · ‎07-02-2008

Getting some of these in my syslog.

Deny IP from 10.122.25.52 to 10.63.30.12, IP options: "0x14"

This pix on 10.122.x.x subnet is connected to another via IPsec. OS is 6.3.x. The two endpoints are video conf systems pushing h323 video between via the ipsec tunnel. Video between the units works 100%, I just don't like seeing these errors. The other pix on the 10.63.x.x network has the same errors that match the other endpoint

michael.leblanc · ‎07-03-2008

The following statement:

This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

... is from the document:

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.pdf

Search on the phrase "106012" to find it, and more.

The following link provides more info on IP Option Numbers:

http://www.iana.org/assignments/ip-parameters

The following RFC deals specifically with the IP Router Alert Option:

http://www.ietf.org/rfc/rfc2113.txt

You could put a sniffer on the link if you want a closer look (source, destination, application, etc.).

dmooreami · ‎07-07-2008

That makes sense, it is an H323 video conference conversation and I can use Ip presidence if I want to. So yes, the packet does have Ip options, as it should.

Any idea how to remove this block and allow it?

michael.leblanc · ‎07-07-2008

IP Precedence and IP Options are not the same thing.

IP Precedence is conveyed in the Type of Service (TOS) field in the IP header.

The Options field follows the destination IP address field in the IP header, and is used for entirely different purposes.

You'd have to examine the packets with a sniffer to verify what they are in order to make an informed decision on whether they should be unblocked, or not.

dmooreami · ‎07-07-2008

Yep, they need to be unblocked. they are my two h323 enpoints going in/out of my ipsec tunnel.