'Forbidden IP option' drop log in SmartView Tracker for ICMP packets with IP Options

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk93809
Technical Level
Product	Quantum Security Gateways, ClusterXL, Cluster - 3rd party, VSX
Version	R75.40VS (EOL), R75.45 (EOL), R75.46 (EOL), R75.47 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
Platform / Model	All
Date Created	25-Jul-2013
Last Modified	21-Sep-2015

Symptoms

'ip option N, message_info: Forbidden IP option' log in SmartView Tracker for ICMP packets.
'ip option N, message_info: IP option is not allowed for this packet' log in SmartView Tracker for ICMP packets after adding the IP Option Number into the 'allowed_ip_options' table per sk62082.
Kernel debug (fw ctl debug -m fw + drop) shows that ICMP packets are dropped:
fw_log_drop: Packet proto=1 Source_IP:X -> Dest_IP:Y dropped by fw_ipopt_strip Reason: illegal IP options;
Kernel debug (fw ctl debug -m fw + drop) shows that ICMP packets are still dropped after adding the IP Option Number into the 'allowed_ip_options' table per sk62082:
fw_log_drop: Packet proto=1 Source_IP:X -> Dest_IP:Y dropped by fw_ipopt_restore Reason: options not approved;

Cause

ICMP packets with IP Options are not allowed by default.

Example: When the 'ping -r' creates an ICMP packet with IP Option #7.

Solution

Note: To view this solution you need to Sign In .