Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2266
Views
5
Helpful
13
Replies

cisco asa packet drops

secureIT
Level 4
Level 4

‎02-10-2011 04:49 AM - edited ‎03-11-2019 12:48 PM

Hi,

we have a voip network just behind the cisco asa interface, im getting packet drops while pinging to the voip phone from the asa....getting 80% only.

between the asa and voip there are 2 L2 switches... no issues from L2 switches to the phones...

i have disabled h323 h225, skinny and h323 ras, but still facing the same problem...

below is the inspect configs before disabling them..

policy-map global_policy
class inspection_default
  inspect pptp
  inspect ip-options
policy-map global-policy
class global-class
  inspect dns
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect skinny
  inspect pptp
class inspection_default1
  inspect h323 ras
  inspect h323 h225
class class_sip_udp
  inspect sip

Pls help...

Labels:
0 Helpful
13 Replies 13

handsy
Level 1
Level 1

‎02-10-2011 05:25 AM

Have you checked your speed/duplex settings on the ASA interface and the VoIP interface the other side?

If there's a mismatch, the ASA will probably show interface details as Half/10, or something similar.

This will incur packet drops if a mismatch is present.

0 Helpful

secureIT
Level 4
Level 4
In response to handsy

‎02-10-2011 05:33 AM

Hi,

If i connect a pc with the same ip address of the phone, then im getting 100% ping responses....

So, speed and duplex will not come into picture right...

0 Helpful

handsy
Level 1
Level 1
In response to secureIT

‎02-10-2011 05:36 AM

Anything in the ASA logs that might help us?

0 Helpful

secureIT
Level 4
Level 4
In response to handsy

‎02-10-2011 05:40 AM

not even a single log is coming in asa for the source/destination when i ping to phone from asa firewall...

i disabled all these voip protocols and rebooted it..but still same problem only..80% success to ping.

0 Helpful

secureIT
Level 4
Level 4
In response to handsy

‎02-10-2011 05:45 AM

im attaching the asp drops and show service policy outputs..

this is only im having it..

pls help..

80257-putty-log-asa.txt.zip
0 Helpful

handsy
Level 1
Level 1
In response to secureIT

‎02-10-2011 05:59 AM

After doing some more investigation, I believe this is behaving as designed!

VOIP phones have rate limiting on them, and the ASA ping rates exceed those limits, therefore you get a few replies back, but not all.

Hope this helps.

0 Helpful

secureIT
Level 4
Level 4
In response to handsy

‎02-10-2011 06:17 AM

can you pls elaborate on this...rate limiting on the phones or on the asa firewalls..

would appreciate if you could tell me how to check this...

attached the config with out acl/routes/nat/vpn etc, which are not required here...

80258-config.txt.zip
0 Helpful

handsy
Level 1
Level 1
In response to secureIT

‎02-10-2011 06:34 AM

What VoIP phones do you have?

Cisco ones have rate limiting to prevent DoS attacks.....

0 Helpful

secureIT
Level 4
Level 4
In response to handsy

‎02-10-2011 07:08 AM

hi, avaya phones

0 Helpful

secureIT
Level 4
Level 4
In response to secureIT

‎02-10-2011 07:00 PM

could some one please help me............

0 Helpful

secureIT
Level 4
Level 4
In response to secureIT

‎02-11-2011 05:27 AM

Hi Netpro Team,,,, Pls help...

0 Helpful

handsy
Level 1
Level 1
In response to secureIT

‎02-11-2011 05:34 AM

I have already told you that there is rate limiting on VoIP phones.

Here's another thread at another forum confirming this fact:

http://www.tek-tips.com/viewthread.cfm?qid=1373907&page=1

Does that help you now?

songl
Cisco Employee
Cisco Employee

‎02-11-2011 05:51 AM

Do you capture packets on Swith or ASA . You can identify which device drops 20% packets.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card