Support Center > Search Results > SecureKnowledge Details
'Forbidden IP option' drop log in SmartView Tracker for ICMP packets with IP Options Technical Level
Symptoms
  • 'ip option N, message_info: Forbidden IP option' log in SmartView Tracker for ICMP packets.

  • 'ip option N, message_info: IP option is not allowed for this packet' log in SmartView Tracker for ICMP packets after adding the IP Option Number into the 'allowed_ip_options' table per sk62082.

  • Kernel debug (fw ctl debug -m fw + drop) shows that ICMP packets are dropped:
    fw_log_drop: Packet proto=1 Source_IP:X -> Dest_IP:Y dropped by fw_ipopt_strip Reason: illegal IP options;

  • Kernel debug (fw ctl debug -m fw + drop) shows that ICMP packets are still dropped after adding the IP Option Number into the 'allowed_ip_options' table per sk62082:
    fw_log_drop: Packet proto=1 Source_IP:X -> Dest_IP:Y dropped by fw_ipopt_restore Reason: options not approved;
Cause

ICMP packets with IP Options are not allowed by default.

Example: When the 'ping -r' creates an ICMP packet with IP Option #7.


Solution
Note: To view this solution you need to Sign In .