Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

video through PIX with PAT

I have a customer testing Polycom video conferencing over the Internet through their PIX 506. They have a single public IP address so all outbound traffic is PAT. When they initiate the connection the recipient sees their video feed but they see none. The only denys I can see in the syslog are:

106012: Deny IP from x.x.x.x to y.y.y.y, IP options: "0x14"

The following fixups are active:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

The local subnet has and access-list allowing all IP traffic to pass outbound and just for testing we allowed the address we're trying to communicate with all IP access inbound.

I see messages in the syslog that the PIX recognizes h323 conversations.

Is there anything else I should be looking for or am I trying to get an unsupported protocol to work here? Is the deny IP options message relevant, can it be worked around?

Cisco Employee

Re: video through PIX with PAT


Deny IP option is defintely relevant here, if shows the same ips and ports in that session. we can't turn off the IP option inspection here

Error Message %PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.

Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source or strict source routing.

You better check polycom settings. Also what is the IOS code you are running?



New Member

Re: video through PIX with PAT

The deny IP did show the same addresses that were testing the video. I assumed the IP options in question were QoS as video is known to insert in packets. I will check the Polycom client to see if this can be turned off.

We are running PIX OS 6.2.2