Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
5
Helpful
2
Replies

video through PIX with PAT

ray
Level 1
Level 1

‎01-07-2004 01:37 PM - edited ‎02-20-2020 11:11 PM

I have a customer testing Polycom video conferencing over the Internet through their PIX 506. They have a single public IP address so all outbound traffic is PAT. When they initiate the connection the recipient sees their video feed but they see none. The only denys I can see in the syslog are:

106012: Deny IP from x.x.x.x to y.y.y.y, IP options: "0x14"

The following fixups are active:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

The local subnet has and access-list allowing all IP traffic to pass outbound and just for testing we allowed the address we're trying to communicate with all IP access inbound.

I see messages in the syslog that the PIX recognizes h323 conversations.

Is there anything else I should be looking for or am I trying to get an unsupported protocol to work here? Is the deny IP options message relevant, can it be worked around?

0 Helpful
2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

‎01-10-2004 12:26 PM

Hi,

Deny IP option is defintely relevant here, if shows the same ips and ports in that session. we can't turn off the IP option inspection here

Error Message %PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.

Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source or strict source routing.

You better check polycom settings. Also what is the IOS code you are running?

Thanks

Nadeem

ray
Level 1
Level 1
In response to nkhawaja

‎01-12-2004 07:10 AM

The deny IP did show the same addresses that were testing the video. I assumed the IP options in question were QoS as video is known to insert in packets. I will check the Polycom client to see if this can be turned off.

We are running PIX OS 6.2.2

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card