ASA and Facetime

John Blakley · ‎07-13-2010

All,

I've got a situation with Facetime and iPhone 4. The problem is that a user from the inside on our corp wireless can initiate a facetime session with someone outside of our network with no problems. The same user can't call a user on the inside of the network and a user from outside the company can't initiate a session to someone from the inside.

I've got hairpinning configured for the wireless subnet and I'm natting to a particular address for these addresses. The call will fail if the user is initiating a call to another user inside. It almost looks like the traffic will have to be allowed back on on the outside interface. Is this the case? Does Apple initiate a new connection for Facetime requests?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Kevin Redmon · ‎07-14-2010

John,

Doing a quick Google search, I see that Facetime is using SIP, ICE, RTP, and H264. I'm not sure how accurate it is, but here's the link I used:

http://youshottheinvisibleswordsman.co.uk/2010/06/25/iphone4-facetime-and-open-standards/

With that being said, the first thing that I would confirm is that you have 'inspect sip' within your policy-map and applied to the appropriate interfaces. If that is there, the only thing that I can offer is some basic troubleshooting guidance:

1.) Enable 'logging buffered debug' and increase the buffer-size substantially. I usually use 'logging buffer-size 512000' or '1024000'.

2.) Enable packet captures on the relevant interfaces for the relevant traffic:

https://supportforums.cisco.com/docs/DOC-1222

3.) Create the issue by trying a call that doesn't work.

4.) Immediately after reproducing the issue, do a 'show log | inc ' where ip_addr is the relevant host that is failing. In some cases, it is equally easy to just do a 'show log' and use other PC/Linux tools (Notepad or Grep) to parse through the traffic.

5.) If #3 doesn't give you all of the information, try a call that DOES work and do a comparative study of the two.

In either case, the information from #2 and #4 above will give you alot of good information - and the syslogs will give us a better understanding as to how the ASA is handling the connections.

My initial suspicion is that you have an asymmetric route issue. Since the ASA is a stateful firewall, it needs to see every packet of a TCP flow. If you see a number of syslogs of 'Deny TCP (no connection)', this is a tell-tale sign of exactly that. The possible solutions for you, if that is the case, would be to adjust the routing on your network to ensure that this doesn't happen or enable TCP State Bypass for the relevant traffic (supported in 8.2):

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

Good Luck! Let me know if this helps!

Best Regards,
Kevin

plantowski · ‎01-23-2012

Did anyone actually get Facetime to work behind an ASA, and if so how?

Praveencco_2 · ‎06-12-2013

Hi

I am facing the same problem. Could you please some help me on this. If I permit to any destination this is working.

furdog · ‎08-23-2013

object-group service Facetime tcp

port-object eq 16402

port-object eq 2483

port-object eq 51663

access-list in2out extended permit tcp any any object-group Facetime

access-list out2in extended permit tcp any any object-group Facetime

You can probably secure this more by designating only the ports that are requred specifically for in and out and further by limited the IP ranges that are accessed, but I needed to call my dauighter quick.