cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2321
Views
0
Helpful
1
Replies

Cisco ASA SIP Inspection Issues

Daniel Hood
Level 1
Level 1

I'm having issues with getting SIP and RTP traffic through a Cisco ASA with NAT enabled.


Diagram of issue:
http://i.imgur.com/Ymwl7Xm.jpg


Now, when we enable the SIP inspection on the ASA, the SIP messages are generated by "SIP CLIENT" and when generating a "200 OK" as part of the registration process, it adds two "via" headers to it. The first via header field is an IP I don't know, the second via header is the SIP servers IP. As this 200 OK goes through the ASA the ASA decides the second Via header field needs to be replaced with it's IP, which it then forwards to the SIP server. The SIP server sends it back, the ASA sends it back, etc until a huge loop has been completed. (This is confusing to explain so please see this for further explanation: http://i.imgur.com/ngl4MGF.jpg)


My question so far is, is this a bug? Default behaviour? Anyway to disable this part of the SIP inspection?


When we disable SIP inspection, we can get the SIP CLIENT registered and it can make a phone call but we get no audio (RTP). Is there a way of making this work? Or does it require SIP inspection?

1 Reply 1

Rishabh Seth
Level 7
Level 7

Hi Daniel,

I am not aware of the bug but I am sure that either you can enable/ disable the SIP inspection completely there is no way to partially disable SIP inspection.

Dis you try taking capture on the ASA ingress and egress interface and verified the via field to see if there is single via field in the ingress packet or not?

Thanks,

RS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: