https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031743#M916172 <HTML><HEAD></HEAD><BODY><P>Try the 'invalid-ack' option, it drops by default:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238</A></P><P></P><P>Either enable it for this specific flow or for all traffic (to test).</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Thu, 31 Jul 2008 01:17:04 GMT Farrukh Haroon 2008-07-31T01:17:04Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031740#M916162 <P>Hello,</P><P>I am having the following issue with a videoconference call. I have an ASA-5520 in transparent firewall mode in the middle of a LAN connections between two campus.</P><P>When I remove the firewall the videoconference works fine.</P><P>When the firewall is connected the call can not be completed. </P><P>The call originating station first contacts a gatekeeper in order to establish the call. I captured the traffic between this station and the gatekeeper using a sniffer and I found that the problem is that apparently there are segments lost in the communication. This problem appears in every SYN,ACK packet received from the gatekeeper, therefore the station responds with a RST of the connection. </P><P>ASA is running software 8.0(2). </P><P>Does anybody know if there is some way to fix this issue from configuration?</P><P>I am completely sure there is no problem with access-lists and I am not inspecting H323, H225, ras, etc...</P><P>Attached is a copy of the sniffer capture.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 13:18:54 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031740#M916162 javiercastro 2019-03-11T13:18:54Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031741#M916164 <HTML><HEAD></HEAD><BODY><P>have you tried to enable inspection H323, H225, ras?</P></BODY></HTML> Wed, 23 Jul 2008 15:48:44 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031741#M916164 a.alekseev 2008-07-23T15:48:44Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031742#M916170 <HTML><HEAD></HEAD><BODY><P>Yes, I tried enabling inspection, disabling tcp sequence randomization.</P><P>Still not working. Any ideas?</P></BODY></HTML> Wed, 30 Jul 2008 22:42:27 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031742#M916170 javiercastro 2008-07-30T22:42:27Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031743#M916172 <HTML><HEAD></HEAD><BODY><P>Try the 'invalid-ack' option, it drops by default:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238</A></P><P></P><P>Either enable it for this specific flow or for all traffic (to test).</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Thu, 31 Jul 2008 01:17:04 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031743#M916172 Farrukh Haroon 2008-07-31T01:17:04Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031744#M916175 <HTML><HEAD></HEAD><BODY><P>after several traffic captures gathered, I have figured out that something in the inside network is messing with the ack number. Very weird problem since I have only the Vlan interface in the 4506, everything else is L2 Switched network to the videoconference station.</P></BODY></HTML> Wed, 13 Aug 2008 14:45:58 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031744#M916175 javiercastro 2008-08-13T14:45:58Z https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031745#M916179 <HTML><HEAD></HEAD><BODY><P>So have you managed to resolve this issue?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 13 Aug 2008 17:43:25 GMT https://community.cisco.com/t5/network-security/tcp-acked-lost-segment-videoconference-setup-through-asa-5520/m-p/1031745#M916179 Farrukh Haroon 2008-08-13T17:43:25Z