Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Message log 106012

Hi, I would like to have a expert opinion about an ASA msg log.

I deployed a pair of ASA with 3 Legs ( outside, inside and DMZ ).

Currently there is an IP video conferencing device in the DMZ.

Once we tested the video conferencing, the quality of the video was very bad. A lot of dropped packet ( seen from the device ).

I did check in the ASA and found that there was a lot of packet being dropped because of MSG log 106012.

I went through cisco documentation and found this

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279793

anyone can explain about this symptom ? and is there a workaround solution for this ?

Thanks

Richard

5 REPLIES
Silver

Re: ASA Message log 106012

This error message is related to IP packets that has TOS bit set to on, in other words they are using some QOS values. What kind of traffic is this? Voice maybe? Now it looks like error message is not complete "IP options hex" should contain and Hex value after that.

New Member

Re: ASA Message log 106012

I'm not sure, but if Oscar is right, try this on the interface of the switch where the device is connected (asumming you are using a Cisco 2960)

(config-if)#mls qos cos override

This will reset the TOS of the packets originated on this device.


Guido.

Please rate all the helpful comments.

New Member

Re: ASA Message log 106012

Hi,

Thank you for Your responses.

I've tried to set the "mls qos cos override" on the switch interface that connected to firewall, but the issue was still there.

I capture some log from the ASA.

6|Jun 29 2009|17:56:05|106012|VC01||202.155.32.29||Deny IP from VC01 to 202.155.32.29, IP options: "Router Alert"

any idea what does it means by "Router Alert"?

Thanks

New Member

Re: ASA Message log 106012

IP Options are part of the ip header, but not used and because they are a security risk, most firewalls and routers block them.

http://en.wikipedia.org/wiki/IPv4

You have two workarounds:

1) Upgrade the firmware of the VoIP device if this problem was corrected.

2) Put this device before the firewall, with a public IP. (I do that on a client few month ago)


Guido.

Please rate all the helpful comments.

New Member

Re: ASA Message log 106012

Hi,

Seems like there is no workaround solution for this using ASA.

Thanks for all the useful information and guidance.

665
Views
14
Helpful
5
Replies