I guess that's good to hear :)

I have packet captures and syslog output if needed. If the ASA was shunting the connection due to triggering some kind of IDS signature, where would that get logged?

Have you checked 'show asp drop' during the connection to see if anything is showing up there?

--Jason

Will do. Thanks for the tip.

I think you are on the right track. I was troubleshooting an ASA5540 and it automatically SHUN the source IP and doesnt log anything in the debugging syslog.

Try performing a "show shun" and see if theres anything displayed.

Then do a "clear shun" if you see anything.

This is most likely not related, but I share it for consideration. We run site2site 3des vpn tunnels to our asa5520, and found that voice signal traffic (sccp tcp 2000) would drop at random times for no apparent reason, causing our remote Cisco 7900 phones to reset.

The remedy for us was to turn off the global inspection of the skinny protocol while TAC researches the problem.

Conversely we needed to enable inspection for our SIP voice phone connections to work.

If possible you may wish to scrutinize your inspect statements, and enable/disable for the protocols you are running.

Good luck

Interestingly enough, the vendor had already instructed them to disable the skinny fixup for the same reason. I'll have to review the text config (they use pdm) to see how completely its disabled.

Thanks

Thanks for the tip, we'll try that out.

Same exact issues here. We had to disable skinny to get the phones from dropping ever 30 minutes or so.

Also, we have a similiar issue with an application and random disconnects. TAC says there is nothing wrong with the 5520 and application guys say there is nothing wrong with the app.

The TAC guy on my case is sharp. We needed skinny inspection enabled for IPC softphones coming inbound via our DMZ interface from an ssl vpn appliance, but needed inspection off for our site2site 7900 phones whose vpns terminate on the asa5520.

He wrote a clever inspection class map to enable skinny inspect based on acls for specific voice networks, and disabled it globally on the firewall, so we have a nice work around in place.

In parallel, he got with one of his voice colleagues and they are replicating our issue with our configs in their lab, because they are fairly certain there is a bug.

Credit to Cisco they dug in deep and understand the aspects of the problem, and it's my hopes that the results they acheive will resolve other issues and make the product all the better.

My suggestions are to contact your local account exec and have submit feature requests (e.g. dscp marking for qos, etc.)

At the end of the day though I'll go with Cisco anyday over the other guys.

Good luck!