topic Re: Query regarding SIP Traffic in Network Security

Query regarding SIP Traffic

ankurs2008 — Mon, 11 Mar 2019 17:45:38 GMT

Hi halijenn/pkampana/all

I have a issue related to SIP Traffic . I am using ASA 8.2.2.12 and the call manager is sitting Inside of ASA and there is one more call manager sitting outside of ASA .The user (from his IP Phone) dials to a remote phone and registers with inside CUCM , from where the packet hits ASA and goes to remote CUCM behind which the destination phone is located.

1) When a call is initiated from Inside IP Phone it will register itself to a SIP registrar server which is CUCM

(IP Phone and CUCM are located behind the ASA and CUCM exits ASA with NATTED IP)

2) Once it has registered , the CUCM (NATTED IP ) sends an INVITE request to the destination CUCM on UDP /5060 , traversing via ASA Firewall ; however packet captures show only SIP under the protocol column , ideally for INVITE packet it should show SIP/SDP (Please correct me if i am wrong)

3) The Remote server at the other end is replying with “ Status : 100 giving a try “ which means that some unspecified action is being taken on behalf of this call (e.g.,a database is being consulted),but the user has not yet been located.

4) After some time , the server replies again with “ Status : 408 Request Timeout” which means that server is not able to send a response for which the Inside Call manager sends a CANCEL Request

From the debug sip and Syslogs in ASA :

a) There is no deny message in the Syslog according to any access-list

b) debug sip shows below message (IP Addres id Inside CUCM)

SIP::Not updating database for Contact 10.3.1.1/5060, registry database total 0

Note :

a) Inspect SIP is allowed

b) Following NAT are there

nat (inside) 1 10.3.1.1 255.255.255.255
global (outside) 1 interface

static(inside,outside) udp interface sip 10.3.1.1 sip

c) show service-policy doesnot show any drops related to SIP

According to me the ideal reply after an INVITE message should have been

Status : 180 Ringing and SIP/2.0 183 Session Progress which is an indication to start the RTP

Please let me know if i am hitting bug CSCtb23281

Re: Query regarding SIP Traffic

Abu Hadee — Fri, 14 May 2010 11:36:31 GMT

Hi Ankurs,

I didn't quite understand the complete call flow. Let me try to picture what I've understood

Topology:

PhoneA--CUCMA-------(outside)--ASA--(inside)-------CUCMB----PhoneB

1. Phone1 to CUCMA 1 is SIP

2. CUCMA to CUCMB is sip (two different Cluster)

3. CUCMB to PhoneB is sip

You are trying to make call from PhoneB to PhoneA

are these assumptions right?

CUCMB sends Invite to CUCMA

CUCMA sends 100 Trying

CUCMA sends 408 Request Timeout

CUCMB sends Cancel

In that scenario, I would assume that CUCMA also send invite to Phone A, but didn't get any response. If CUCMA doesn't know if about PhoneA, it would send different message.

Regarding the other question, if MTP is not checked on the SIP trunk on CUCM, it will not send SDP in the invite. It will be a delayed offer.

Please correct me about the call flow. I will be able to help you further.

Thank you

- Abu

Re: Query regarding SIP Traffic

ankurs2008 — Fri, 14 May 2010 12:29:42 GMT

The call flow is correct , i would like to know if there could be an issue between CUCM A and Phone A ?

If MTP is not checked on the SIP trunk on CUCM , do you mean to say that the CUCM behind the inside interface of ASA need to have this parameter checked ?The issue is that i am confused as to whether ASA is opening the hole with inspect sip command or not . Suppose if ASA is opening this hole , then can it be like that MTP is not checked thats why the (SIP+SDP) not going in Invite

Also i have one more question , is it like that the MTP needs to be checked on the SIP trunk on the Outside CUCM also ?

Re: Query regarding SIP Traffic

Abu Hadee — Sat, 15 May 2010 09:47:22 GMT

If MTP is not checked, CUCM will not send INVITE with SDP.

You need to check if CUCM can send calls to PhoneA. I'm wondering why CUCMA would return request time out. Are they on same location, no firewall?

Also, will you be able to packet capture from inside and out of the ASA?

Thanks

-abu

Re: Query regarding SIP Traffic

ankurs2008 — Mon, 17 May 2010 06:56:03 GMT

this could also means that CUCM B may not have MTP option checked / ticked when packet is going outside and hitting ASA and then CUCM A

Also there i only 1 firewall in between CUCM A and CUCM B .What i think is that when packet reaches CUCM A , it tries to call Phone A and is not getting response and after sometime , it sends reply back to ASA for CUCM B regarding time out . I am surely gng to attach captures today evening

Re: Query regarding SIP Traffic

ankurs2008 — Tue, 18 May 2010 07:23:54 GMT

Please let me know regarding my below query

Re: Query regarding SIP Traffic

lusandi — Thu, 14 Jul 2011 16:08:53 GMT

Can you send a debug sip and debug sip ha from the ASA also can you send a sniffer capture from both of the CUCM servers.

Regards,

Luis Sandi

.:|:.:|:.

P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.