ACE 4710 SIP - Server initiated traffic

Glemnet_BECK · ‎08-08-2012

I have a Cisco ACE 4710 A5(1.2).

Scenario: Inbound call from PSTN to SIP Phone. Call comes into the VIP and then load balances to sip server, the server then routes the call out via WAN to the SIP phone as below:

PSTN SIP Providor >(router)> ACE4710 > sip_server(s) > ACE4710 > (router) >SIP Phone

Note: Router is Cisco 3925 with "ip nat service sip udp port 5060" and Port 5060 mapped to the VIP of the ACE.

If I put the sip server directly behind the router it works fine.

From behind the ACE:

If I turn on sip inspect on the VIP the call setup (INVITE) and termination (BYE) work fine but the audio loops on the PSTN side from

the mic to the speaker.

If I turn OFF sip inspect then the audio is fine and mapped correctly but the call terminaton (SIP BYE) hits the VIP from the PSTN but never

reaches the sip server.

For ease and dianostics, I have turned off all sip servers except one meaning the load-balancer has only one server to choose from.

SIP Call_id sticky is setup and seems to work, though irrelevent with one server only on test.

How do I get the ACE to accept 'server initiated traffic' with sip inspect so it knows about the pending BYE when it comes back from the IP phone via the VIP?

Config below, image attached. Bridged mode (also get the same result in routed mode)

Thanks

Garry

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

probe sip udp 1
description SIP Health Monitor
interval 30
expect status 200 200

rserver host server1
description Production SIP Server
ip address 10.44.56.172
conn-limit max 980 min 980
probe 1
inservice

serverfarm host sip
failaction purge
probe 1
rserver server1
inservice

sticky sip-header Call-ID SIP_GROUP
timeout 5
serverfarm sip

class-map type sip loadbalance match-any SIP_L7
2 match sip header Call-ID header-value ".*"
class-map match-any SIP_VIP_CLASS
2 match virtual-address 10.44.56.100 tcp eq sip
3 match virtual-address 10.44.56.100 udp eq sip

policy-map type loadbalance sip first-match SIP_L7_POLICY
class SIP_L7
sticky-serverfarm SIP_GROUP

policy-map multi-match SIP_L4_POLICY
class SIP_VIP_CLASS
    loadbalance vip inservice
    loadbalance policy SIP_L7_POLICY
    loadbalance vip icmp-reply active
    inspect sip

interface vlan 30
bridge-group 3
access-group input everyone
service-policy input SIP_L4_POLICY
no shutdown
interface vlan 31
bridge-group 3
access-group input everyone
no shutdown

interface bvi 3
ip address 10.44.56.2 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 10.44.56.1

context admin
member sticky

sivaksiv · ‎08-08-2012

Hi,

Here is the config to inspect server initiated traffic

class-map all-udp-sip

match virtual-address 0.0.0.0 0.0.0.0 udp eq 5060

policy-map multi-match NAT_SIP

class all-udp-sip

nat dyn 1 vlan

inspect sip

configure nating to have the server ip nated with the vip

interface vlan 30

nat-pool 1 10.44.56.100 10.44.56.100 netmask 255.255.255.255 pat

interface vlan 31

service-policy input NAT_SIP

Regards,
Siva

Glemnet_BECK · ‎08-09-2012

Hi Siva,

Thanks for your reply, the nat pool seems to have worked as I can see the proper translation in the syslog. However the issue still remains with sip and media pinhole using sip inspection (which I thought may have been fixed by the above)

Here are my findings when I turn on/off sip inspect in: policy map multi-match SIP_L4_POLICY

When sip inspect ON:

PSTN to IP Phone = No RTP from PSTN side, SIP call termination OK

IP Phone to PSTN = NO RTP from IP Phone side, SIP call termination OK

When sip inspect OFF:

PSTN to IP Phone = RTP ok, SIP call termination NOT OK

IP Phone to PSTN = RTP ok, SIP call termination OK

Turning PAT off in the nat pool made no difference

I can get clean SIP or RTP but not both together.

Many thanks

sivaksiv · ‎08-09-2012

Hi Garry,

I'm not much of a SIP expert but i'm just trying to undersand how the flow is actually being setup here.

Is this setup working fine with single server? If so then this could be a problem with stickyness when we loadbalance to multiple servers.

Also what exactly do you see in the packet trace? Do you see the packet getting dropped on ACE for server initiated traffic?

I might need to talk to some SIP expert to check how it works then we tweak the config on ACE to fit the requirement.

Regards,

Siva

Glemnet_BECK · ‎08-14-2012

Hi Siva,

The serverfarm is set to sticky, but I have shutdown all the servers except a single server, meaning only one server is operational for selection by the ACE This is so I can diagnose what is going on far easier.

I have read that SIP and PAT on the ACE dont go together and that the ACE pinholes ports for the media (RTP).

What is happening is that a SIP "INVITE" comes in from a PSTN carrier and hits the ACE's VIP... The ACE then relays this request to the serverfarm. so far so good.. When the sip server replies via the ACE SIP with a "200 OK"along with it's SDP, the source port for the media (inbound RTP leg) gets translated from (eg) 11224 to 34917... When the PSTN sends the media into port 34917, there is no audio because actually the sip server is expecting on 11224. Black hole.

I think that no fixup is made between port 34917 to port 11224 to bridge the RTP audio stream.

All the configurations I can find have the same issue - either the RTP is fine (with sip inspect off) but the SIP "BYE" gets lost of thrown away by the VIP so call control is broken... OR I turn on sip inspection so call control is fine, but one-way audio occurs with the above port problem.

Is it possible you can send me over an actual working config for sip that has been tested? I can compare what is happening.

Many thanks
Garry

sivaksiv · ‎08-14-2012

Hi Garry,

You say the client used port 11224 and the server sent the response to 34917? Due to this missmatch, the server response is not SIP-inspected?

If so then the configuration to inspect the server initiated traffic should have worked here.

Here is a sample config that worked in the past but it looks like we need a packet capture to verify what exactly is going on and tweak the configuration per our requirement.

sticky sip-header Call-ID STICK-SIP

replicate sticky

serverfarm SRVR_SIP

class-map match-any SIP_VIP

3 match virtual-address 1.1.1.1 udp eq sip

class-map type sip loadbalance match-all sip_class

2 match sip header Call-ID header-value ".*"

policy-map type loadbalance sip first-match SIP_L7

class sip_class

sticky-serverfarm STICK-SIP

policy-map multi-match SIP_L4

class SIP_VIP

loadbalance vip inservice

loadbalance policy SIP_L7

loadbalance vip icmp-reply active

loadbalance vip advertise active

inspect sip

interface vlan 67

description Virtual-IPs

service-policy input SIP_L4 rserver host test1

Regards,
Siva

Glemnet_BECK · ‎08-16-2012

Hi Siva,

I cannot get above config to work as I get the same issue:

A call is made from the ipphone to the mobile phone.

flow: IPPHONE > ROUTER > ACE > SIPSERVER > ACE > ROUTER > PSTN CARRIER > MOBILE PHONE

The audio is heard from the mobile phone on the ipphone but not the other way. The audio from the iphone gets blocked by the ACE. Equally, if a call is made from the mobile to the IPHONE the reverse occurs.

If sip inspection is disabled - then audio works fine, but the SIP messages are never routed properly and after 60 seconds the call times out.

I have a raft of info ready to send that is zipped - have you an email address I can send it to?

Many thanks,

Garry

sivaksiv · ‎08-16-2012

Hi Garry,

Can you raise a TAC case and attach all the info for our troubleshooting? This definetely requires a packet capture and if necessary run some debugs to check futher.

Regards,
Siva