Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
2
Replies

Permit IP Option 8 (StreamID) through Cisco ASA

Go to solution
simon.blain
Level 1
Level 1

‎05-06-2015 09:35 AM - edited ‎03-11-2019 10:53 PM

Hi,

I have an issue with Microsoft RDPv8 on Windows 7 Embedded Clients when UDP is enabled in that the UDP RDP (UDP3389) packets are often sent with IP Option 8 enabled. I have no idea why this is but with the ASA dropping these packets the RDP session will regularly drop out for 10-20 seconds and then reconnect with a new session.

So far the only work around is to block UDP3389 on the firewall so even though UDP is enabled on the client only TCP is negotiated and the dropouts are prevented. The problem is UDP in RDPv8 provides a better experience and so far I haven't been able to resolve this in the RDP client.

So is there a way to cofnigured the ASA to allow IP Option 8 specifically? I see other IP Option types can be allowed through an ip-option map but not this one. Any help would be appreciated.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-07-2015 07:43 AM

Hi,

I don't think this IP Option 8 is supported through the ASA device.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/firewall/asa-firewall-cli/inspect-basic.html#pgfId-2489321

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-07-2015 07:43 AM

Hi,

I don't think this IP Option 8 is supported through the ASA device.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/firewall/asa-firewall-cli/inspect-basic.html#pgfId-2489321

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
simon.blain
Level 1
Level 1
In response to Vibhor Amrodia

‎05-07-2015 07:52 AM

Thanks Vibhor,

why is there this limitation? I understand why in the vast majority of cases packets with options set will need to be blocked but why can't the device be configured to allow this when required. I would have hoped an ip-option map could be configured to allow these packets but only from specific source addresses. Other firewall vendors support configuring the firewall to permit these packets.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card