- Cisco Community
- Technology and Support
- Security
- Network Security
- Ok, I didn't notice the
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA 9.2(2)4 - No SIP connections after external IP change
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-03-2015 12:26 AM - edited ā03-11-2019 10:52 PM
Hi,
I have an ASA 5505 with SW 9.2(2)4 on a cable connection with an external modem. Behind the ASA are a number of services including one Asterisk server which maintains a connection to a SIP provider. SIP inspection is disabled in the ASA because it interferes with the Asterisk's own NAT functionality. The ASA is getting it's external IP via DHCP from the ISP. The external IP does change every once in a while.
If the external IP changes, the Asterisk server cannot connect to the SIP provider any more. I did a number of tests and found that literally everything else works as expected. The server can reach every other internet service. Only outgoing SIP doesn't work any more. I did various packet traces at different points in the network and the ASA seems to simply ignore the outgoing SIP packets.
If I reload the ASA, SIP works again.
Of course, having to reload the ASA after an IP address change is not acceptable, especially, as this change can theoretically occur at at given time and usually goes unnoticed - which every time puts the phone system out of service.
Is there anything I might have missed in the config or is this a firmware bug?
-Stefan
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-03-2015 12:43 AM
It seems to be a firmware bug! I just tried clear conn all and after that, the Asterisk did connect to the SIP provider.
Clearing all connections on an interface should be automatic after an IP address change as it doesn't really make any sense to keep a connection active on an interface when the IP changes!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-03-2015 09:03 PM
Hi,
Reading through the description of this issue , I think the change in IP address is actually implemented on the ASA device for the connections as well.
This is seen as all the other traffic works fine.
Now , I see that you have the SIP inspection disabled , so ASA would not be looking into the SIP header and would not need to open up Pin Holes.
So , I don't think there should be any difference before and after the IP change on the interface of ASA device. It should be a normal UDP connection.
Can we collect the "show conn address <SIP server address>" and show xlate before and after the IP address change happens" ?
Thanks and Regards,
Vibhor Amrodia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-05-2015 01:55 AM
I will collect the information and report back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā05-15-2015 10:42 AM
Ok, I didn't notice the address change but this is after the address change and before the clearing the connection:
defiant# sh conn addr 217.10.79.9
119 in use, 868 most used
UDP outside 217.10.79.9:5060 inside 192.168.10.203:5060, idle 0:00:00, bytes 14282250, flags -
defiant# sh xlate
62 in use, 787 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.10.0/24 to outside:192.168.10.0/24
flags sIT idle 192:15:35 timeout 0:00:00
NAT from outside:192.168.5.0/24 to inside:192.168.5.0/24
flags sIT idle 192:15:35 timeout 0:00:00
NAT from outside:192.168.5.0/24 to outside:192.168.5.0/24
flags sIT idle 192:15:35 timeout 0:00:00
NAT from outside:192.168.5.0/24 to outside:192.168.5.0/24
flags sIT idle 192:15:35 timeout 0:00:00
UDP PAT from inside:192.168.10.203 10000-20000 to outside:80.220.41.203 10000-20000
flags srT idle 9:10:39 timeout 0:00:00
NAT from outside:0.0.0.0/0 to WIFI1:0.0.0.0/0
flags sIT idle 9:10:39 timeout 0:00:00
TCP PAT from inside:192.168.10.200 993-993 to outside:80.220.41.203 993-993
flags sr idle 0:06:37 timeout 0:00:00
TCP PAT from inside:192.168.10.200 25-25 to outside:80.220.41.203 25-25
flags sr idle 0:10:47 timeout 0:00:00
TCP PAT from inside:192.168.10.200 587-587 to outside:80.220.41.203 587-587
flags sr idle 9:10:39 timeout 0:00:00
TCP PAT from inside:192.168.10.202 8000-8000 to outside:80.220.41.203 8000-8000
flags sr idle 9:08:59 timeout 0:00:00
TCP PAT from inside:192.168.10.202 8003-8003 to outside:80.220.41.203 8003-8003
flags sr idle 9:10:39 timeout 0:00:00
UDP PAT from inside:192.168.10.203 4569-4569 to outside:80.220.41.203 4569-4569
flags sr idle 9:10:39 timeout 0:00:00
TCP PAT from inside:192.168.10.203 64738-64738 to outside:80.220.41.203 64738-64738
flags sr idle 9:10:39 timeout 0:00:00
UDP PAT from inside:192.168.10.203 64738-64738 to outside:80.220.41.203 64738-64738
flags sr idle 0:07:31 timeout 0:00:00
UDP PAT from inside:192.168.10.203 5060-5060 to outside:80.220.41.203 5060-5060
flags sr idle 1:01:40 timeout 0:00:00
TCP PAT from inside:192.168.10.203 5061-5061 to outside:80.220.41.203 5061-5061
flags sr idle 9:10:39 timeout 0:00:00
TCP PAT from inside:192.168.10.204 443-443 to outside:80.220.41.203 443-443
flags sr idle 9:10:39 timeout 0:00:00
TCP PAT from inside:192.168.10.204 80-80 to outside:80.220.41.203 80-80
flags sr idle 1:10:09 timeout 0:00:00
TCP PAT from inside:192.168.10.4/43793 to outside:80.220.41.203/43793 flags ri idle 0:03:37 timeout 0:00:30
TCP PAT from inside:192.168.10.4/41940 to outside:80.220.41.203/41940 flags ri idle 0:08:21 timeout 0:00:30
TCP PAT from inside:192.168.10.4/39466 to outside:80.220.41.203/39466 flags ri idle 0:19:11 timeout 0:00:30
TCP PAT from inside:192.168.10.4/45862 to outside:80.220.41.203/45862 flags ri idle 0:20:21 timeout 0:00:30
TCP PAT from inside:192.168.10.4/55426 to outside:80.220.41.203/55426 flags ri idle 0:38:21 timeout 0:00:30
TCP PAT from inside:192.168.10.4/41727 to outside:80.220.41.203/41727 flags ri idle 2:09:31 timeout 0:00:30
TCP PAT from inside:192.168.10.4/45703 to outside:80.220.41.203/45703 flags ri idle 4:00:41 timeout 0:00:30
UDP PAT from inside:192.168.10.201/48141 to outside:80.220.41.203/48141 flags ri idle 0:00:02 timeout 0:00:30
UDP PAT from inside:192.168.10.201/49581 to outside:80.220.41.203/49581 flags ri idle 0:00:02 timeout 0:00:30
UDP PAT from inside:192.168.10.201/16780 to outside:80.220.41.203/47311 flags ri idle 0:00:02 timeout 0:00:30
UDP PAT from inside:192.168.10.201/39712 to outside:80.220.41.203/39712 flags ri idle 0:00:02 timeout 0:00:30
UDP PAT from inside:192.168.10.201/41582 to outside:80.220.41.203/41582 flags ri idle 0:00:03 timeout 0:00:30
TCP PAT from inside:192.168.10.201/45973 to outside:80.220.41.203/45973 flags ri idle 0:00:15 timeout 0:00:30
TCP PAT from inside:192.168.10.201/45972 to outside:80.220.41.203/45972 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from inside:192.168.10.201/20889 to outside:80.220.41.203/20889 flags ri idle 0:00:25 timeout 0:00:30
UDP PAT from inside:192.168.10.201/51529 to outside:80.220.41.203/51529 flags ri idle 0:00:25 timeout 0:00:30
TCP PAT from inside:192.168.10.201/45971 to outside:80.220.41.203/45971 flags ri idle 0:00:15 timeout 0:00:30
UDP PAT from inside:192.168.10.253/3074 to outside:80.220.41.203/3074 flags ri idle 0:00:28 timeout 0:00:30
TCP PAT from inside:192.168.10.1/45443 to outside:80.220.41.203/45443 flags ri idle 0:00:13 timeout 0:00:30
TCP PAT from inside:192.168.10.1/45442 to outside:80.220.41.203/45442 flags ri idle 0:00:28 timeout 0:00:30
TCP PAT from inside:192.168.10.1/53585 to outside:80.220.41.203/53585 flags ri idle 0:01:55 timeout 0:00:30
TCP PAT from inside:192.168.10.1/36400 to outside:80.220.41.203/36400 flags ri idle 0:02:24 timeout 0:00:30
TCP PAT from inside:192.168.10.1/42905 to outside:80.220.41.203/42905 flags ri idle 0:02:24 timeout 0:00:30
UDP PAT from inside:192.168.10.1/29666 to outside:80.220.41.203/29666 flags ri idle 0:00:03 timeout 0:00:30
TCP PAT from inside:192.168.10.1/55508 to outside:80.220.41.203/55508 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from inside:192.168.10.1/40567 to outside:80.220.41.203/40567 flags ri idle 0:02:08 timeout 0:00:30
TCP PAT from inside:192.168.10.1/44629 to outside:80.220.41.203/44629 flags ri idle 9:07:23 timeout 0:00:30
TCP PAT from inside:192.168.10.1/52700 to outside:80.220.41.203/52700 flags ri idle 9:10:07 timeout 0:00:30
TCP PAT from inside:192.168.10.1/49046 to outside:80.220.41.203/49046 flags ri idle 9:10:08 timeout 0:00:30
TCP PAT from inside:192.168.10.1/50933 to outside:80.220.41.203/50933 flags ri idle 9:10:38 timeout 0:00:30
TCP PAT from inside:192.168.10.2/39792 to outside:80.220.41.203/39792 flags ri idle 0:00:02 timeout 0:00:30
TCP PAT from inside:192.168.10.2/47137 to outside:80.220.41.203/47137 flags ri idle 0:00:41 timeout 0:00:30
TCP PAT from inside:192.168.10.2/44469 to outside:80.220.41.203/44469 flags ri idle 0:02:24 timeout 0:00:30
TCP PAT from inside:192.168.10.2/42000 to outside:80.220.41.203/42000 flags ri idle 2:58:48 timeout 0:00:30
UDP PAT from inside:192.168.10.2/49997 to outside:80.220.41.203/49997 flags ri idle 0:00:01 timeout 0:00:30
TCP PAT from inside:192.168.10.2/59876 to outside:80.220.41.203/59876 flags ri idle 9:05:59 timeout 0:00:30
TCP PAT from inside:192.168.10.2/45678 to outside:80.220.41.203/45678 flags ri idle 9:09:01 timeout 0:00:30
TCP PAT from inside:192.168.10.2/38293 to outside:80.220.41.203/38293 flags ri idle 9:09:12 timeout 0:00:30
TCP PAT from inside:192.168.10.2/44394 to outside:80.220.41.203/44394 flags ri idle 9:09:12 timeout 0:00:30
TCP PAT from inside:192.168.10.2/53915 to outside:80.220.41.203/53915 flags ri idle 9:10:36 timeout 0:00:30
TCP PAT from inside:192.168.10.2/37581 to outside:80.220.41.203/37581 flags ri idle 9:10:37 timeout 0:00:30
TCP PAT from inside:192.168.10.2/56594 to outside:80.220.41.203/56594 flags ri idle 9:10:38 timeout 0:00:30
And now after clear conn 217.10.79.9 (after which my asterisk connected to the provider)
defiant# sh conn addr 217.10.79.9
93 in use, 868 most used
UDP outside 217.10.79.9:5060 inside 192.168.10.203:5060, idle 0:00:03, bytes 3816, flags -
defiant# sh xlate
50 in use, 787 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.10.0/24 to outside:192.168.10.0/24
flags sIT idle 192:22:18 timeout 0:00:00
NAT from outside:192.168.5.0/24 to inside:192.168.5.0/24
flags sIT idle 192:22:18 timeout 0:00:00
NAT from outside:192.168.5.0/24 to outside:192.168.5.0/24
flags sIT idle 192:22:18 timeout 0:00:00
NAT from outside:192.168.5.0/24 to outside:192.168.5.0/24
flags sIT idle 192:22:18 timeout 0:00:00
UDP PAT from inside:192.168.10.203 10000-20000 to outside:80.220.41.203 10000-20000
flags srT idle 9:17:22 timeout 0:00:00
NAT from outside:0.0.0.0/0 to WIFI1:0.0.0.0/0
flags sIT idle 9:17:22 timeout 0:00:00
TCP PAT from inside:192.168.10.200 993-993 to outside:80.220.41.203 993-993
flags sr idle 0:01:35 timeout 0:00:00
TCP PAT from inside:192.168.10.200 25-25 to outside:80.220.41.203 25-25
flags sr idle 0:02:19 timeout 0:00:00
TCP PAT from inside:192.168.10.200 587-587 to outside:80.220.41.203 587-587
flags sr idle 9:17:22 timeout 0:00:00
TCP PAT from inside:192.168.10.202 8000-8000 to outside:80.220.41.203 8000-8000
flags sr idle 9:15:42 timeout 0:00:00
TCP PAT from inside:192.168.10.202 8003-8003 to outside:80.220.41.203 8003-8003
flags sr idle 9:17:22 timeout 0:00:00
UDP PAT from inside:192.168.10.203 4569-4569 to outside:80.220.41.203 4569-4569
flags sr idle 9:17:22 timeout 0:00:00
TCP PAT from inside:192.168.10.203 64738-64738 to outside:80.220.41.203 64738-64738
flags sr idle 9:17:22 timeout 0:00:00
UDP PAT from inside:192.168.10.203 64738-64738 to outside:80.220.41.203 64738-64738
flags sr idle 0:04:19 timeout 0:00:00
UDP PAT from inside:192.168.10.203 5060-5060 to outside:80.220.41.203 5060-5060
flags sr idle 0:01:28 timeout 0:00:00
TCP PAT from inside:192.168.10.203 5061-5061 to outside:80.220.41.203 5061-5061
flags sr idle 9:17:22 timeout 0:00:00
TCP PAT from inside:192.168.10.204 443-443 to outside:80.220.41.203 443-443
flags sr idle 9:17:22 timeout 0:00:00
TCP PAT from inside:192.168.10.204 80-80 to outside:80.220.41.203 80-80
flags sr idle 1:16:52 timeout 0:00:00
TCP PAT from inside:192.168.10.4/43793 to outside:80.220.41.203/43793 flags ri idle 0:10:20 timeout 0:00:30
TCP PAT from inside:192.168.10.4/41940 to outside:80.220.41.203/41940 flags ri idle 0:15:03 timeout 0:00:30
TCP PAT from inside:192.168.10.4/55426 to outside:80.220.41.203/55426 flags ri idle 0:45:04 timeout 0:00:30
TCP PAT from inside:192.168.10.4/41727 to outside:80.220.41.203/41727 flags ri idle 2:16:14 timeout 0:00:30
TCP PAT from inside:192.168.10.4/45703 to outside:80.220.41.203/45703 flags ri idle 4:07:24 timeout 0:00:30
TCP PAT from inside:192.168.10.201/46003 to outside:80.220.41.203/46003 flags ri idle 0:00:13 timeout 0:00:30
TCP PAT from inside:192.168.10.201/46002 to outside:80.220.41.203/46002 flags ri idle 0:00:12 timeout 0:00:30
UDP PAT from inside:192.168.10.201/64551 to outside:80.220.41.203/64551 flags ri idle 0:00:13 timeout 0:00:30
UDP PAT from inside:192.168.10.201/21382 to outside:80.220.41.203/21382 flags ri idle 0:00:30 timeout 0:00:30
UDP PAT from inside:192.168.10.201/37143 to outside:80.220.41.203/37143 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from inside:192.168.10.201/46001 to outside:80.220.41.203/46001 flags ri idle 0:00:13 timeout 0:00:30
UDP PAT from inside:192.168.10.201/123 to outside:80.220.41.203/123 flags ri idle 0:01:28 timeout 0:00:30
TCP PAT from inside:192.168.10.1/45590 to outside:80.220.41.203/45590 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside:192.168.10.1/34313 to outside:80.220.41.203/34313 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from inside:192.168.10.1/34311 to outside:80.220.41.203/34311 flags ri idle 0:00:30 timeout 0:00:30
UDP PAT from inside:192.168.10.1/29666 to outside:80.220.41.203/29666 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from inside:192.168.10.1/40567 to outside:80.220.41.203/40567 flags ri idle 0:08:51 timeout 0:00:30
TCP PAT from inside:192.168.10.1/44629 to outside:80.220.41.203/44629 flags ri idle 9:14:06 timeout 0:00:30
TCP PAT from inside:192.168.10.1/52700 to outside:80.220.41.203/52700 flags ri idle 9:16:49 timeout 0:00:30
TCP PAT from inside:192.168.10.1/49046 to outside:80.220.41.203/49046 flags ri idle 9:16:50 timeout 0:00:30
TCP PAT from inside:192.168.10.1/50933 to outside:80.220.41.203/50933 flags ri idle 9:17:21 timeout 0:00:30
TCP PAT from inside:192.168.10.2/46901 to outside:80.220.41.203/46901 flags ri idle 0:00:29 timeout 0:00:30
TCP PAT from inside:192.168.10.2/42000 to outside:80.220.41.203/42000 flags ri idle 3:05:30 timeout 0:00:30
UDP PAT from inside:192.168.10.2/49997 to outside:80.220.41.203/49997 flags ri idle 0:00:04 timeout 0:00:30
TCP PAT from inside:192.168.10.2/59876 to outside:80.220.41.203/59876 flags ri idle 9:12:42 timeout 0:00:30
TCP PAT from inside:192.168.10.2/45678 to outside:80.220.41.203/45678 flags ri idle 9:15:44 timeout 0:00:30
TCP PAT from inside:192.168.10.2/38293 to outside:80.220.41.203/38293 flags ri idle 9:15:55 timeout 0:00:30
TCP PAT from inside:192.168.10.2/44394 to outside:80.220.41.203/44394 flags ri idle 9:15:55 timeout 0:00:30
TCP PAT from inside:192.168.10.2/53915 to outside:80.220.41.203/53915 flags ri idle 9:17:19 timeout 0:00:30
TCP PAT from inside:192.168.10.2/37581 to outside:80.220.41.203/37581 flags ri idle 9:17:20 timeout 0:00:30
TCP PAT from inside:192.168.10.2/56594 to outside:80.220.41.203/56594 flags ri idle 9:17:21 timeout 0:00:30
So, obviously the connection hung again. Just in case I triple checked and SIP inspection is deactivated. The only thing I could imagine is that the connection hangs because of the static PAT I configured for incoming SIP but this would IMHO - again - be a bug...
-Stefan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
