Cisco 4700M Configuration Manual page 245

Chapter 3 Configuring Application Protocol Inspection
If one of these header fields is missing in a SIP packet, the ACE considers that
packet invalid. The ACE also checks for forbidden header fields, according to
RFC 3261.
To enable strict header validation and the action that you want the ACE to perform
if a SIP header does not meet the validation requirements, use the
strict-header-validation command in parameter map SIP configuration mode.
The syntax of this command is as follows:
The keywords and options are as follows:
•
•
Note
•
For example, to enable strict header validation to instruct the ACE to drop the
connection if the packet header does not meet the header validation requirements,
and to log the event, enter:
host1/Admin(config-parammap-sip)# strict-header-validation drop log
To disable strict header validation, enter:
host1/Admin(config-parammap-sip)# no strict-header-validation drop log
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
OL-16202-01
strict-header-validation {log} | {{drop | reset} [log]}
log—Specifies that the ACE log the header validation event.
drop—Specifies that the ACE drop the SIP message.
Use care if you plan to enable the drop option to ensure the validity of
SIP packet headers. The drop option results in dropping requests which
do not include the mandatory headers of that request. In some cases, the
use of the drop option can lead to problems with some phones which do
not utilize the mandatory headers in the request. For example, when a call
is made and then cancelled, the phone receives a 487 Request Terminated
cancel status request and transmits an ACK. However, for the Cisco IP
Phone 7960, the transmitted ACK does not contain the
MAX-FORWARDS header, which is a mandatory header for ACK. The
ACE will then drop this packet, which can result in operational issues
with the phone.
reset—Specifies that the ACE reset the connection.
Configuring a SIP Parameter Map
3-121