https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508970#M579519 <HTML><HEAD></HEAD><BODY><P>Federico, </P><P></P><P>I'm not sure if you got an answer to this already in any other way. </P><P></P><P>First of all SIP inspection like any other inspection is used to open up dynamically connection and pre-create xlates and a little bit of voo-doo when NAT is involved.</P><P></P><P>When using VPN connections by default should be permitted and usually we don't do NAT - so you should not normally need sip inspection for VPN flows.</P><P></P><P>That being said I agree that it looks like a problem with interoperability, I'm not aware of any problem with this - nor do I have access to check right now if this is known or not. </P><P></P><P>Let me know if someone already looked into this, if not I'll have a check tomorrow. </P><P></P><P>Marcin </P></BODY></HTML> Sun, 28 Nov 2010 23:01:45 GMT Marcin Latosiewicz 2010-11-28T23:01:45Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508969#M579518 <P>Hello Community,</P><P></P><P>I would like to bring up a problem that I'm having...</P><P></P><P>Clients connecting via IPsec VPN and using Personal Communicator.</P><P>CUCP 7/ASA 8.2</P><P>Clients can connect via VPN, log in to the Personal Communicator and make calls (the chat is not working because all collegues appear offline).</P><P>If disabling SIP inspection in the ASA, then the chat works.</P><P></P><P>Problem is we need SIP inspection enabled.</P><P>The Presence server resides behind the ASA and it works fine locally.</P><P>Problem is only via VPN due to SIP inspection, how to fix it?</P><P><BR />Thank you all!</P><P></P><P>Federico.</P> Mon, 11 Mar 2019 19:14:07 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508969#M579518 Federico Coto Fajardo 2019-03-11T19:14:07Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508970#M579519 <HTML><HEAD></HEAD><BODY><P>Federico, </P><P></P><P>I'm not sure if you got an answer to this already in any other way. </P><P></P><P>First of all SIP inspection like any other inspection is used to open up dynamically connection and pre-create xlates and a little bit of voo-doo when NAT is involved.</P><P></P><P>When using VPN connections by default should be permitted and usually we don't do NAT - so you should not normally need sip inspection for VPN flows.</P><P></P><P>That being said I agree that it looks like a problem with interoperability, I'm not aware of any problem with this - nor do I have access to check right now if this is known or not. </P><P></P><P>Let me know if someone already looked into this, if not I'll have a check tomorrow. </P><P></P><P>Marcin </P></BODY></HTML> Sun, 28 Nov 2010 23:01:45 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508970#M579519 Marcin Latosiewicz 2010-11-28T23:01:45Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508971#M579520 <HTML><HEAD></HEAD><BODY><P>Marcin,</P><P><BR />There's no NAT for the presence server through the tunnel, but the client will requiere static NAT for public access later on... so SIP inspection will be needed eventually.</P><P>Right now... I turned off SIP inspection and the chat works fine through VPN.</P><P>If I enable SIP inspection the chat won't work.</P><P></P><P>What I would like here is to be able to allow the chat to work with SIP inspection enabled.</P><P></P><P>I'm still having the problem so I would definitely appreciate your help with this one <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thank you!</P><P></P><P>Federico.</P></BODY></HTML> Sun, 28 Nov 2010 23:07:40 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508971#M579520 Federico Coto Fajardo 2010-11-28T23:07:40Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508972#M579521 <HTML><HEAD></HEAD><BODY><P>Sure thing Federico, I'll dig in tomorrow <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Sun, 28 Nov 2010 23:22:40 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508972#M579521 Marcin Latosiewicz 2010-11-28T23:22:40Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508973#M579522 <HTML><HEAD></HEAD><BODY><P>Federico,</P><P></P><P>No spectacular finding on my side.</P><P></P><P>One would be this:</P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtc62281">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtc62281</A></P><P></P><P>I also remember having something similar to this in the past. But I'd need to dig into presence protocol, I believe CUCM had two possible options for presence (transport? not sure what CUCM phrasing on this was), can you check that for me?</P><P></P><P>Marcin</P></BODY></HTML> Mon, 29 Nov 2010 10:36:51 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508973#M579522 Marcin Latosiewicz 2010-11-29T10:36:51Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508974#M579523 <HTML><HEAD></HEAD><BODY><P>Marcin,</P><P></P><P>All I know at this moment is that with SIP inspection enabled the chat won't work... so what I'll do is run some tests and check what messages do I get to see if we can identify the problem.</P><P>I will post the findinds and what you're asking too... thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Federico.</P></BODY></HTML> Mon, 29 Nov 2010 15:52:27 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508974#M579523 Federico Coto Fajardo 2010-11-29T15:52:27Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508975#M579524 <HTML><HEAD></HEAD><BODY><P>Federico,</P><P></P><P>TAC would typically request, ingress and egress captures + syslogs to get started (SIP debugs too ;-))</P><P>If you can get that I'll have a look.</P><P></P><P></P><P>Marcin</P></BODY></HTML> Mon, 29 Nov 2010 15:56:12 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508975#M579524 Marcin Latosiewicz 2010-11-29T15:56:12Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508976#M579525 <HTML><HEAD></HEAD><BODY><P>Marcin, </P><P></P><P>I'm including the logs and debug SIP for a connection from a VPN user dporras.</P><P></P><P>The behavior is the same... with SIP inspection enabled the chat won't work for personal communicator.</P><P>I don't see SIP drops in ''sh service-policy'... I'm not sure if I should see packet drops... </P><P></P><P>If you can take a look at the attachment I'll appreciate it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Federico.</P></BODY></HTML> Tue, 30 Nov 2010 16:41:07 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508976#M579525 Federico Coto Fajardo 2010-11-30T16:41:07Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508977#M579526 <HTML><HEAD></HEAD><BODY><P>Federico,</P><P></P><P>I remembered there was something exchanged via different connection then SIP:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Nov 30 2010 10:32:29: %ASA-6-302013: Built inbound TCP connection 1357720 for SHDSL:172.16.13.11/53599 (172.16.13.11/53599) to inside:172.16.10.249/443 (172.16.10.249/443) (dporras)<BR />Nov 30 2010 10:32:30: %ASA-6-302014: Teardown TCP connection 1357720 for SHDSL:172.16.13.11/53599 to inside:172.16.10.249/443 duration 0:00:00 bytes 2889 TCP FINs (dporras)</PRE><P></P><P></P><P>Regarding what SIP inspection might be up to.</P><P></P><P><BR />I see for example:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">SIP::Found Event header field with presence package<BR />Created SIP session for SHDSL:172.16.13.11/53607 to inside:172.16.10.249/5060, 18 total<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From: sip:dporras@fusionetcorp.local (30);tag=c917b560 (8)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To: sip:dporras@fusionetcorp.local (30)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID: 5a16f7020c59da0aNDdlOGM5MjAyMGRmZmFmZmIzYjA0MWQ2OTQ4OWQxNjM. (60)<BR />Created SIP Transaction for SHDSL:172.16.13.11/53607 to inside:172.16.10.249/5060<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID: 5a16f7020c59da0aNDdlOGM5MjAyMGRmZmFmZmIzYjA0MWQ2OTQ4OWQxNjM. (60)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CSeq: 1 PUBLISH<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Branch: z9hG4bK-d87543-3c4409660751743c-1--d87543-<BR />&gt;&gt;&gt;&gt; SIP::Payload not modified<BR /></PRE><P></P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">SIP::Found valid SIP URI: sip:dporras@172.16.13.11:50021<BR />SIP::Found Contact sip:dporras@172.16.13.11:50021<BR />SIP::Found Content-length 0<BR />SIP::Found Event header field with presence package<BR />Created SIP Transaction for SHDSL:172.16.13.11/53607 to inside:172.16.10.249/5060<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID: 5a16f7020c59da0aNDdlOGM5MjAyMGRmZmFmZmIzYjA0MWQ2OTQ4OWQxNjM. (60)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CSeq: 2 PUBLISH<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Branch: z9hG4bK-d87543-80599b0c83043903-1--d87543-<BR />&gt;&gt;&gt;&gt; SIP::Payload not modified<BR /></PRE><P></P><P>I don't see any obvious notion of ASA doing something wrong I don't think the packets are being dropped I suspect they are somehow mangled so the manager doesn't recognize them correctly.</P><P></P><P>I think we'd need more in depth investigation. Traffic capture before and after firewall, with and without SIP inspection + debugs would be a good place to start - but it's not something to be dragged in forum.</P><P></P><P>Can you open a TAC case? We'll have a look at this one.</P><P></P><P>Marcin</P></BODY></HTML> Tue, 30 Nov 2010 22:41:17 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508977#M579526 Marcin Latosiewicz 2010-11-30T22:41:17Z https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508978#M579527 <HTML><HEAD></HEAD><BODY><P>Marcin,</P><P></P><P>It was a bug in the ASA code.</P><P>Originally I mentioned version 8.2, but the ASA was running 8.0(4) my mistake <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>I upgraded the ASA to 8.2(2) and now the chat function works perfectly for Personal Communicator through the VPN (with SIP inspection enabled).</P><P></P><P>Thank you very much.</P><P></P><P>Federico.</P></BODY></HTML> Thu, 02 Dec 2010 17:22:40 GMT https://community.cisco.com/t5/network-security/presence-not-working-correctly-with-sip-inspection/m-p/1508978#M579527 Federico Coto Fajardo 2010-12-02T17:22:40Z