cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2618
Views
2
Helpful
11
Replies

Firepower; SIP inspection stops working after while

sabienzia5500
Level 1
Level 1

Hello ,
we have a brand new Firepower 2120 (7.3.1) as replacement for our ASA 5525 .
The SIP inspection to our VoIP provider works very well for a while and then it just stops working.
The only thing that helps is to delete all connections to VoIP providers so we have a lot of Impact face to our customers.

any ideals appreciated.

11 Replies 11

do you have multi ISP ?

Hi MHM,
yes we have, we get the calls from 2 different ISPs over 2 different interfaces. Both Line the same problem

SIP is UDP traffic so check the NATing, 
if the FPR use one ISP and then failover to other ISP the NAT still point to failed ISP and that why the traffic is drop 
check packet-tracer see route-lookup point to which ISP 

thanks, but it is not about failover, they are 2 separate ISP , nating works all the time , only at some point the FPR stops translating the IP address in SDP packet 

can you share packet tracer for SIP traffic ?

Sure, as I said the config works very well for a while, then the SIP inspection stops.
I have also seen in ASP drop a lot of number of inspection failure (inspect-fail), can that be related to this issue :
Inspection failure (inspect-fail) 23908


packet-tracer input B1-BT-VOIP udp 62.180.237.70 5060 198.51.100.12 5060

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 28149 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 21325 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 198.51.100.12 using egress ifc B1-PEER(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 17913 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust udp ifc B1-BT-VOIP object-group FMC_INLINE_src_rule_268435823 object-group ALL-PEER-KAM-Group object-group obj_udp_5060 rule-id 268435823 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268435823: PREFILTER POLICY: B1 Prefilter Policy
access-list CSM_FW_ACL_ remark rule-id 268435823: RULE: B1-BT-> B1-PKs
object-group network FMC_INLINE_src_rule_268435823
description: Auto Generated by FMC from src of PrefilterRule# 340 (B1 Prefilter Policy/mandatory)
network-object object BT_IP_Range_246
network-object object BT_IP_Range_237
object-group network ALL-PEER-KAM-Group
group-object BER1-PEER-Kamailio-Group
group-object BER2-PEER-Kamailio-Group
object-group service obj_udp_5060 udp
port-object eq sip
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 17913 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 17913 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 17913 ns
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: inspect-sip
Result: ALLOW
Elapsed time: 121126 ns
Config:
class-map class-sip-inspect
match access-list b1-sip-inspect-acl
policy-map global_policy
class class-sip-inspect
inspect sip
service-policy global_policy global
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 1706 ns
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 12795 ns
Config:
object network b1-peer-kam-02-BT
nat (B1-PEER,B1-BT-VOIP) static SZ-BT-217.70.132.88
Additional Information:

Result:
input-interface: B1-BT-VOIP(vrfid:0)
input-status: up
input-line-status: up
output-interface: B1-PEER(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 256753 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaacc42cb0 flow (NA)/NA

sorry your post is delete, but I see that the NAT make traffic drop, am I right ?

No really, on the ASA we get the same result using packet tracer (Type: NAT. Subtype: rpf-check Result: DROP) but the config works for so many years.
so I thought of ASP and/or another thing that after a time becomes full or reached the limit

there is NAT conflict for this traffic, 
when show run nat check the which NAT above SIP server static NATing effect it. 
if this happened again 
change the NAT from auto to manual NAT

RolfSchade
Level 1
Level 1

I have also this problem - the nat only fails for sip-packets for example for http-traffic it works fine - in our case it works for about a week an then the sip-packets are not inspected and the voice-provider sent answer-packet with the original ip-address to the firepower where the packets are dropped

AViftrup
Level 1
Level 1

This is not related to FTD, but I remember having weird SIP issues way back at Cisco ASA55XX-series several times.
Most times it was related to SIP inspection and the SIP timeouts.

Do you know exactly what seems to be the issue? Is it calling or voice? I'm not suggesting this as a long term fix, but you could try disable the SIP inspection as a starting point, otherwise you might have to mess around with sip timeout timers.

Review Cisco Networking for a $25 gift card