IP options "Noop" in omudpspoof'd packets

This is the place for developers to discuss bugs, new features and everything else about code changes.

Google Ads


IP options "Noop" in omudpspoof'd packets

Postby rick@gt » Fri Jun 08, 2012 10:35 pm

Our Cisco ASA and FSWM firewalls are throwing away packets from our rsyslog relayer with messages (first two octects of IP addresses changed to protect the innocent):

%ASA-6-106012: Deny IP from 192.168.244.29 to 192.168.170.183, IP options: "End of Options List"
%ASA-6-106012: Deny IP from 192.168.244.29 to 192.168.170.183, IP options: "Noop"
%ASA-6-106012: Deny IP from 192.168.165.165 to 192.168.170.183, IP options: "Noop"
%ASA-6-106012: Deny IP from 192.168.165.165 to 192.168.170.183, IP options: "Noop"
%ASA-6-106012: Deny IP from 192.168.165.165 to 192.168.170.183, IP options: "End of Options List"
3:10
106012
Error Message %PIX|ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.
Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.

as well as:
2012-06-08T17:29:19.816964-04:00 rich-165-fw.gatech.edu %ASA-6-106012: Deny IP from 192.168.222.19 to 192.168.160.219, IP options: "Non-zero options padding"


The firewalls are configured to allow spoofed traffic:
rich-dept-asasm/rich-165-fw(config)# sh log | i 192.168.170.183
3:06
access-list outbound extended permit udp any host 192.168.160.219 object-group any-192-168-160-219-udp
access-list outbound extended permit udp any host 192.168.170.183 object-group any-192-168-170-183-udp
access-list outbound extended permit icmp object-group fw-inside-networks any
access-list outbound extended permit ip object-group fw-inside-networks any
access-list outbound extended deny ip any any


But it appears that there is no way we can get the firewall to just ignore the Noop IP options that are being set. Has anyone else run into this? I think it's a bug, and plan to open a ticket on it... as soon as my Fiscal year starts in July and I can start a support contract, but until then I'm hoping someone in the community has run into this and worked around it before.
rick@gt
New
 
Posts: 4
Joined: Fri Jun 08, 2012 10:20 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: IP options "Noop" in omudpspoof'd packets

Postby rick@gt » Fri Jun 08, 2012 10:44 pm

Pardon me, this is a repeat of post22012.html?hilit=omudpspoof#p22012

Perhaps I can help shed some light on the original poster's problem, or up the urgency :D
rick@gt
New
 
Posts: 4
Joined: Fri Jun 08, 2012 10:20 pm

Google Ads



Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests

cron