Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix syslog message

I have a frame relay network that comes into the hub router into corporate HQ. We have a large SAP implementation that is hosted at a 3rd party location. So, traffic flows from the Frame, into the inside interface of the Corporate PIX 515, out the dmz interface of the Corporate Pix, into a router on the same subnet as the dmz, and then across a frame relay link to the SAP host. I am getting several hundred syslog messages per hour with the following error, %PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex. The hex options is 0x14. The source IP is from several different hosts somewhere on the frame and the destination is to one of our SAP servers. The docs say that the SAP client application is altering the IP packet and the PIX is seeing it as some kind of security breach and discarding the packet. Our SAP has slowdowns constantly and I think this is part of the cause of slowdowns.

Thanks,

RJ

4 REPLIES
New Member

Re: Pix syslog message

Basically, hex option=0x14 breaks down as follows:

|0001|0100|

The ip options field breaks down as:

0 bit: copy bit

1-2 bit: class option bits

3-7 bit: option number bits

So, 0x14 hex breaks down as:

copy bit: 0

class option: 0

option number: 20

From the table at:

IP OPTION NUMBERS

http://www.iana.org/assignments/ip-parameters

You can see that this is not a valid option.

It's sort of a router alert without the copy option.

However, RFC 2113 (Router Alerts) does not permit

that possibility.

You will need to get a sniffer trace of this traffic

and investigate this further to determine which device is initiating this traffic and why.

If you find out, please share your info.

HTH

Jeff

New Member

Re: Pix syslog message

It is the SAP client program that causes this alert. There are dozens of systems on several differnet subnets causing this problem. So, it seems like this program is altering the packet and the PIX thinks it is a hacked packet, right?

RJ

New Member

Re: Pix syslog message

The pix does not permit any packets which have IP options utilized, regardless of the reason. For instance, you may have a host on the inside of your pix which is legitimately sending source-route packets, which will utilize the IP Options field. However, source-routing in itself is inherently a security vunerability. Consequently, the pix won't permit this traffic through (even though it's not a hacked packet).

In this case, there does not appear to be any legitimate reason for the packets that your pix appears to be seeing. If you have already sniffed the packet all the way back to the source, and have determined that the client is actually initiating this traffic, then I would contact the application vendor for further information about why it is utilizing these options in a way that doesn't appear to conform to conventional use of the ip options field (it may just be a bug that other devices ignore, but which the pix doesn't).

HTH

Jeff

New Member

Re: Pix syslog message

Jeff,

You seems to know the PIX firewall quite well. I was wondering if you know some documents that describe the PIX behavior in detail when dealing with non-standard or invalid packets. I am looking for the more in-depth information that I cannot find on the regular website.

Thanks - rob.bleeker@steeves.net

114
Views
0
Helpful
4
Replies