06-08-2009 10:29 PM - edited 03-11-2019 08:41 AM
Hi, I would like to have a expert opinion about an ASA msg log.
I deployed a pair of ASA with 3 Legs ( outside, inside and DMZ ).
Currently there is an IP video conferencing device in the DMZ.
Once we tested the video conferencing, the quality of the video was very bad. A lot of dropped packet ( seen from the device ).
I did check in the ASA and found that there was a lot of packet being dropped because of MSG log 106012.
I went through cisco documentation and found this
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279793
anyone can explain about this symptom ? and is there a workaround solution for this ?
Thanks
Richard
06-12-2009 09:56 AM
This error message is related to IP packets that has TOS bit set to on, in other words they are using some QOS values. What kind of traffic is this? Voice maybe? Now it looks like error message is not complete "IP options hex" should contain and Hex value after that.
06-12-2009 10:57 AM
I'm not sure, but if Oscar is right, try this on the interface of the switch where the device is connected (asumming you are using a Cisco 2960)
(config-if)#mls qos cos override
This will reset the TOS of the packets originated on this device.
Guido.
Please rate all the helpful comments.
06-29-2009 02:50 AM
Hi,
Thank you for Your responses.
I've tried to set the "mls qos cos override" on the switch interface that connected to firewall, but the issue was still there.
I capture some log from the ASA.
6|Jun 29 2009|17:56:05|106012|VC01||202.155.32.29||Deny IP from VC01 to 202.155.32.29, IP options: "Router Alert"
any idea what does it means by "Router Alert"?
Thanks
06-29-2009 05:07 AM
IP Options are part of the ip header, but not used and because they are a security risk, most firewalls and routers block them.
http://en.wikipedia.org/wiki/IPv4
You have two workarounds:
1) Upgrade the firmware of the VoIP device if this problem was corrected.
2) Put this device before the firewall, with a public IP. (I do that on a client few month ago)
Guido.
Please rate all the helpful comments.
07-09-2009 02:27 AM
Hi,
Seems like there is no workaround solution for this using ASA.
Thanks for all the useful information and guidance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: