12-30-2011 09:14 AM - edited 03-11-2019 03:08 PM
Hi,
I'm receiving the following error for igmpv2 traffic:
6 | Dec 30 2011 | 12:08:06 | 172.28.9.5 | 225.10.249.12 | Deny IP from 172.28.9.5 to 225.10.249.12, IP options: "Router Alert" |
The syslog ID is 106012 and the explanation to correct this makes no sense to me. In other discussions I've seen that this is related to a global policy but I'm not sure how or where to get around it. Thanks.
12-30-2011 03:12 PM
Hello Mike,
What version are you running.
Julio
01-03-2012 08:06 AM
Julio,
ASA 8.25, ASDM 6.45.
Thanks
01-04-2012 06:14 AM
Hello,
By default, the ASA will drop packets that have the Router Alert option set. If you want to allow these packets through the ASA, you can configure a custom inspection via MPF:
policy-map type inspect ip-options allow-router-alert
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect ip-options allow-router-alert
service-policy global_policy global
You can find more details here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725
-Mike
01-09-2012 09:37 AM
Mike,
I tried adding these, no go, same failures for router alert, even after reload.
Mike
01-09-2012 09:38 AM
Hi Mike,
Can you share a sanitized copy of the config you used and the output of 'show service-policy' after you start seeing the drops?
-Mike
01-09-2012 11:59 AM
Mike,
Here you go:
ASA Version 8.2(5)
!
hostname
enable password encrypted
passwd encrypted
multicast-routing
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.19.0.2 255.255.255.252
igmp query-max-response-time 20
igmp query-interval 10
!
interface Vlan2
nameif outside
security-level 0
ip address 172.29.9.1 255.255.255.248
igmp query-max-response-time 20
igmp query-interval 10
!
pim rp-address 10.18.1.1 pimACL_RP
pim old-register-checksum
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list pimACL_RP standard permit 225.17.0.0 255.255.0.0
access-list pimACL_RP standard permit 225.18.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit udp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.17.0.0 255.255.0.0 172.19.0.1 1
route inside 10.18.0.0 255.255.0.0 172.19.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.17.2.1 source inside prefer
webvpn
!
class-map inspection_default
!
!
policy-map type inspect ip-options allow-router-alert
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect ip-options allow-router-alert
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Output of sh service-policy:
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ip-options allow-router-alert, packet 0, drop 0, reset-drop 0
I'm attempting to get this thing to use PIM, and I see no joins/prunes in statistics either. I do see the requests in the 6505 where the RP resides. I increased the query interval for IGMP to 10 sec. which means I see the router alerts that often in ASDM log viewer.
6 | Jan 09 2012 | 14:59:00 | 172.29.9.5 | 225.17.249.5 | Deny IP from 172.29.9.5 to 225.17.249.5, IP options: "Router Alert" |
Mike
01-09-2012 12:10 PM
Hi Mike,
Oh ok, I should have asked what type of traffic it was before suggesting the config. The inspection_default class is not matching this traffic. Try this instead:
access-list myacl permit ip host 172.29.9.5 host 225.17.249.5
!
class-map myclass
match access-list myacl
!
policy-map type inspect ip-options allow-router-alert
parameters
router-alert action allow
policy-map global_policy
class myclass
inspect ip-options allow-router-alert
!
service-policy global_policy global
If there are any established conns for these hosts when you configure this policy, make sure to clear them out before testing again.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: