Hi all,
I replaced an old 2811 Gateway with IPSEC, IP-INSPECT, PBR, and H323 ISDN gatewa with a new 4431-VSEC with a 4 Port ISDN NIM-4BRI-NT/TE.
So I decided to to with IOS XE 3.16 since the nim is supported since 3.14 according to http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-733646.html.
While doing the 1:1 config the ISR4431 declined the "ip inspect ..." under interface configuration. So I tried implementing ZBF and failed.
I put all private interfaces into one zone and the Intrazone communication works flowless (also over the Tunnel Interfaces)
If I generate a ISDN Call Inword, the Phones will ring, and I do hear the Partner with the Cisco Phone Clearly speaking, but he does not hear me, so here is my problem. I do have an Unidirectional Voicestream generated by the Router ( Self zone ) to Inside, which should be a default PASS all, if no security-pair is configured (accourding to http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book.html)
To Verify this I configured a policy map to pass all traffic
!
policy-map type inspect PASS-ALL
class class-default
pass
I then applied it to
zone-pair security inside->self source Inside destination self
service-policy type inspect PASS-ALL
zone-pair security self->inside source self destination Inside
service-policy type inspect PASS-ALL
!
I then reestablished a voice call,, and the same Result as above but now I do have the Policy maps counters count up.
Zone-pair: inside->self
Service-policy inspect : PASS-ALL
Class-map: class-default (match-any)
Match: any
Pass
6488 packets, 738225 bytes
Zone-pair: self->inside
Service-policy inspect : PASS-ALL
Class-map: class-default (match-any)
Match: any
Pass
8290 packets, 898943 bytes
I then decided to use L7 Inspection an configured a H323 Inspect map with inspect to the same policy map
Zone-pair: inside->self
Service-policy inspect : PASS-ALL
Class-map: H323 (match-all)
Match: protocol h323
Inspect
Established Sessions
Session ID 0x00000176 (10.10.16.6:57388)=>(10.120.18.1:17664) h245 SIS_OPEN
Created 00:00:39, Last heard 00:00:25
Bytes sent (initiator:responder) [139:168]
Session ID 0x00000175 (10.10.16.6:57387)=>(10.120.18.1:1720) h225 SIS_OPEN
Created 00:00:39, Last heard 00:00:05
Bytes sent (initiator:responder) [232:605]
Pre-Generating Sessions
Session ID 0x0000017B (10.120.18.22:21266)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN
Created 00:00:27, Last heard 00:00:27
Bytes sent (initiator:responder) [0:0]
Session ID 0x0000017A (10.120.18.22:21267)=>(10.120.18.1:8037) h323-RTCP-data SIS_PREGEN
Created 00:00:27, Last heard 00:00:27
Bytes sent (initiator:responder) [0:0]
Session ID 0x00000179 (10.10.16.6:0)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN
Created 00:00:28, Last heard 00:00:28
Bytes sent (initiator:responder) [0:0]
Session ID 0x00000178 (10.10.16.6:4001)=>(10.120.18.1:8037) h323-RTCP-data SIS_PREGEN
Created 00:00:28, Last heard 00:00:28
Bytes sent (initiator:responder) [0:0]
Session ID 0x00000177 (10.10.16.6:4000)=>(10.120.18.1:8036) h323-RTP-data SIS_PREGEN
Created 00:00:28, Last heard 00:00:28
Bytes sent (initiator:responder) [0:0]
Session ID 0x00000188 (10.10.16.6:0)=>(10.120.18.1:17664) h245 SIS_PREGEN
Created 00:00:05, Last heard 00:00:05
Bytes sent (initiator:responder) [0:0]
Class-map: class-default (match-any)
Match: any
Pass
8218 packets, 929550 bytes
Zone-pair: self->inside
Service-policy inspect : PASS-ALL
Class-map: H323 (match-all)
Match: protocol h323
Inspect
Class-map: class-default (match-any)
Match: any
Pass
10650 packets, 1117545 bytes
and again only unidirektional voice..
So Two Question: I did not find any place in the release notes that classic CBAC has been droped. Can somebody verify this?
Why do I only get Pre-Genereated Session? This seems like a BUG to me but I could not identify a Bug via bugsearch.
Any Ideas ?
BR
felix
