Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3023
Views
0
Helpful
1
Replies

ASA Inspection bypass for H323

tahequivoice
Level 2
Level 2

‎12-15-2009 09:44 AM - edited ‎03-11-2019 09:48 AM

Hi, I am trying to bypass one device from H323 inspection.  I created an ACL to deny IP any to the devices IP internally and externally, then permit ip any any. Then I created a class-map that matches the ACL, applied the Class-map to the service policy, removed the inspections from the default, and here is the problem I ran into, the class needs both H323 RAS and H323 H225, but when applying the second inspect I get an error,

Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

So I applied match default-inspection-traffic to the class map, and I was able to add both inspects to the class, then removed inspect H323 from the default. Well, the video that wasn't working started working, but we broke all outbound voice.  I removed what I did, and restored the original configuration, but it was still broke, so I had to reload the ASA. Now voice is back to normal, but Video is broke again.

How do I exclude this one IP from being inspected for all H323 without breaking the voice?  I am doing two other classes like this under the global policy for FTP inspection and to bypass the CSC for certain IP's, but they all have a single Inspect.

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-15-2009 10:47 AM

What you ran into is expected(Multiple inspect commands can't be configured for a class ). Now coming to fix your video issue. I believe you may be running into some known h323 inspection issues where by the packets may not be fixed up properly.

In these case we have to collect captures (ingress and egress) and see what is going on or you may want to try to see if there is an option to for address translation on the video unit itself so, you can put in the translated address.

Give that a shot and let us know. If it still doesn't work then, we you would probably be better off opening a TAC case.

We would need to collect the following:

1. sh tech

2. syslogs (debug level)

3. debug h323 h225 event/asn

4. ingress, egress captures

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card