https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107434#M894053 <P>We have a client using a Tanberg video device to connect to a Polycom through our ASA.</P><P>We are seeing error messages as follows:</P><P></P><P>(IPs have been changed)</P><P></P><P>%ASA-6-106012: Deny IP from 192.168.18.20 to 172.22.54.29, IP options: "Router Alert" </P><P></P><P>Anybody have any experience with this particular error?</P><P>Is it a false alarm? Should I (or can I)</P><P>allow this traffic from a trusted host inside our network?</P><P></P><P>Thanks for any info-</P><P>Lynne</P> Mon, 11 Mar 2019 14:07:58 GMT lynne.meeks 2019-03-11T14:07:58Z https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107434#M894053 <P>We have a client using a Tanberg video device to connect to a Polycom through our ASA.</P><P>We are seeing error messages as follows:</P><P></P><P>(IPs have been changed)</P><P></P><P>%ASA-6-106012: Deny IP from 192.168.18.20 to 172.22.54.29, IP options: "Router Alert" </P><P></P><P>Anybody have any experience with this particular error?</P><P>Is it a false alarm? Should I (or can I)</P><P>allow this traffic from a trusted host inside our network?</P><P></P><P>Thanks for any info-</P><P>Lynne</P> Mon, 11 Mar 2019 14:07:58 GMT https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107434#M894053 lynne.meeks 2019-03-11T14:07:58Z https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107435#M894054 <HTML><HEAD></HEAD><BODY><P>Lynne,</P><P></P><P>106012</P><P></P><P>Error Message %PIX|ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.</P><P></P><P>Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.</P><P></P><P>Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279793" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279793</A></P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P></BODY></HTML> Tue, 04 Nov 2008 20:15:12 GMT https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107435#M894054 ajagadee 2008-11-04T20:15:12Z https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107436#M894055 <HTML><HEAD></HEAD><BODY><P>Is it possible to disable the packet integrity check on</P><P>an ASA 5510 - or at least prevent the check from specific sources</P><P> - and if so, how?</P><P>I am getting these errors from our campus to campus video conferencing using Polycoms and I simply want this security check out of the picture for these connections.</P><P>Thanks, Forrest</P></BODY></HTML> Thu, 13 Jan 2011 17:59:24 GMT https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107436#M894055 frbaker07 2011-01-13T17:59:24Z https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107437#M894056 <HTML><HEAD></HEAD><BODY><P>Forrest,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; We started seeing this problem more and more, so we changed the ASA code accordingly. Starting in version 8.2(2) the ASA gained the ability to have the configuration specify how it should treat ip options like router alert.</P><P></P><P>See the release notes for 8.2(2) here:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp424893">http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp424893</A></P><P></P><P>And the configuration guide section on ip options shows how to configure the ASA:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1548725</A></P><P></P><P>An upgrade to version 8.2(4) would do the trick. </P><P></P><P>If you plan upgrade to version 8.3, please read and understand this document first:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12690">https://supportforums.cisco.com/docs/DOC-12690</A></P><P></P><P>After the upgrade, the policy-map configuration would look like below (the new config is the 'inspect ip-options' command:</P><P></P><P></P><P><SPAN style="font-family: 'courier new', courier;">ASA# sh run policy-map</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">...</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">!</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">... </SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; inspect ip-options </SPAN></P><P><SPAN style="font-family: 'courier new', courier;">...</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">!</SPAN></P><DIV> </DIV><P></P><P>Sincerely,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Jay</P></BODY></HTML> Thu, 13 Jan 2011 23:25:12 GMT https://community.cisco.com/t5/network-security/what-does-ip-options-quot-router-alert-quot-specify/m-p/1107437#M894056 Jay Johnston 2011-01-13T23:25:12Z