Solved: firewall drop SIP 200 OK

bo liu · ‎07-26-2012

hello everyone

who can help me

i have a evironment like the top

a CUCM use BIB record by sip recorder

the CUCM will send invite to sip recorder

but when the sip recorder response the INVITE with 200OK , the firewall drop the packet

the reason is CSeq missing ,like following(this is firewall log)

[BEGIN] 2012/7/26 14:37:14

SIP:found content length 0, ctx->dlen 4

SIP::INVITE received from inside:10.10.10.25/48749 to outside:172.16.5.68/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found URI in request line "sip:7778@172.16.5.68:5060" (25)

SIP::Found valid SIP URI: sip:60004@10.10.10.25

SIP::Found From addr "sip:60004@10.10.10.25" (21)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272437" (45)

SIP::Found valid SIP URI: sip:7778@172.16.5.68

SIP::Found To addr "sip:7778@172.16.5.68" (20)

SIP::Found Via branch "z9hG4bK11e460097a43" (19)

SIP::Found Via addr "SIP/2.0/TCP 10.10.10.25:5060;branch=z9hG4bK11e460097a43" (55)

SIP::Found Max-Forwards 70

SIP::Found Call-ID 1d45a200-101e53d-64b-190a0a0a@10.10.10.25 (41)

SIP::Found Expires, 180 seconds

SIP::Found valid SIP URI: sip:60004@10.10.10.25:5060

SIP::Found Contact sip:60004@10.10.10.25:5060

SIP::Found Content-length 0

Found port 5060

Via Port 5060

SIP::Found User-Agent

SIP::Found Expires, 180 seconds

SIP::Found Call-Info

Found port 5060

SIP::Found Expires, 1800 seconds

Found port 5060

SIP::Not updating database for Contact 10.10.10.25/5060, registry database total 0

Created SIP session for inside:10.10.10.25/48749 to outside:172.16.5.68/5060, 7 total

From: sip:60004@10.10.10.25 (21);tag=2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272437 (45)

To: sip:7778@172.16.5.68 (20)

Call-ID: 1d45a200-101e53d-64b-190a0a0a@10.10.10.25 (41)

Created SIP Transaction for inside:10.10.10.25/48749 to outside:172.16.5.68/5060

Call-ID: 1d45a200-101e53d-64b-190a0a0a@10.10.10.25 (41)

CSeq: 101 INVITE

Branch: z9hG4bK11e460097a43

SIP:: Proxy forward 1041 bytes, total 1041

SIP:found content length 0, ctx->dlen 4

SIP::INVITE received from inside:10.10.10.25/48749 to outside:172.16.5.68/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found URI in request line "sip:7778@172.16.5.68:5060" (25)

SIP::Found valid SIP URI: sip:60004@10.10.10.25

SIP::Found From addr "sip:60004@10.10.10.25" (21)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272440" (45)

SIP::Found valid SIP URI: sip:7778@172.16.5.68

SIP::Found To addr "sip:7778@172.16.5.68" (20)

SIP::Found Via branch "z9hG4bK11e513f2e798" (19)

SIP::Found Via addr "SIP/2.0/TCP 10.10.10.25:5060;branch=z9hG4bK11e513f2e798" (55)

SIP::Found Max-Forwards 70

SIP::Found Call-ID 1d45a200-101e53d-64c-190a0a0a@10.10.10.25 (41)

SIP::Found Expires, 180 seconds

SIP::Found valid SIP URI: sip:60004@10.10.10.25:5060

SIP::Found Contact sip:60004@10.10.10.25:5060

SIP::Found Content-length 0

Found port 5060

Via Port 5060

SIP::Found User-Agent

SIP::Found Expires, 180 seconds

SIP::Found Call-Info

Found port 5060

SIP::Found Expires, 1800 seconds

Found port 5060

SIP::Not updating database for Contact 10.10.10.25/5060, registry database total 0

Created SIP session for inside:10.10.10.25/48749 to outside:172.16.5.68/5060, 8 total

From: sip:60004@10.10.10.25 (21);tag=2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272440 (45)

To: sip:7778@172.16.5.68 (20)

Call-ID: 1d45a200-101e53d-64c-190a0a0a@10.10.10.25 (41)

Created SIP Transaction for inside:10.10.10.25/48749 to outside:172.16.5.68/5060

Call-ID: 1d45a200-101e53d-64c-190a0a0a@10.10.10.25 (41)

CSeq: 101 INVITE

Branch: z9hG4bK11e513f2e798

SIP:: Proxy forward 1040 bytes, total 1040

SIP:found content length 210, ctx->dlen 214

SIP::200 received from outside:172.16.5.68/5060 to inside:10.10.10.25/48749

Found port 5060

Via Port 5060

Found port 5060

SIP::Expires is in Date format

SIP: Media port 10003

SIP::session level connection addr 172.16.5.68, media port 10003

SIP::media level connection addr 172.16.5.68, media port 10003

SIP::Embedded media port 10003 found in SDP with session IP 172.16.5.68

SIP::Audio port 10003 found in SDP

SIP::regex engine has reached end of packet

SIP:: Mandatory field Cseq is missing

SIP::Parse Message failed!

SIP:found content length 210, ctx->dlen 214

SIP::200 received from outside:172.16.5.68/5060 to inside:10.10.10.25/48749

Found port 5060

Via Port 5060

Found port 5060

SIP::Expires is in Date format

SIP: Media port 10002

SIP::session level connection addr 172.16.5.68, media port 10002

SIP::media level connection addr 172.16.5.68, media port 10002

SIP::Embedded media port 10002 found in SDP with session IP 172.16.5.68

SIP::Audio port 10002 found in SDP

SIP::regex engine has reached end of packet

SIP:: Mandatory field Cseq is missing

SIP::Parse Message failed!

[END] 2012/7/26 14:38:12

the attachment is i capture form firewall inside and outside interface

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

Please do copy and paste the configs shown below into your FW and re-test the connnection. If this doesn't work, please paste your latest config here, so that everyone here can assist you.

policy-map global_policy

class inspection_default

no inspect h323 h225

no inspect h323 ras

no inspect skinny

no inspect sunrpc

no inspect xdmcp

no inspect sip

P/S: If you think this comment is helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Maykol Rojas · ‎07-27-2012

Bo,

The ASA is not seeing it, I dont know why. I can see it on the packet capture the field is not missing rather than the ASA is not seeing it. As per the RFC, the INVITE comes with the same Cseq. The RFC specified that if it is not a new request, the Cseq should remain the same and I dont see it changing for the same INVITE session.

CSeq or Command Sequence contains an integer and a method name. The

CSeq number is incremented for each new request within a dialog and

is a traditional sequence number.

20.16 CSeq

A CSeq header field in a request contains a single decimal sequence

number and the request method. The sequence number MUST be

expressible as a 32-bit unsigned integer. The method part of CSeq is

case-sensitive. The CSeq header field serves to order transactions

within a dialog, to provide a means to uniquely identify

transactions, and to differentiate between new requests and request

retransmissions. Two CSeq header fields are considered equal if the

sequence number and the request method are identical.

This may need a little bit digging, I would like to see this one closely. I will update you soon.

Mike

bo liu · ‎07-28-2012

hi Maykol Rojas

thanks for you reply

if there no reason , can i config the firewall disable check the packet and passthough the packet???

sorry i dont know firewall...

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

How many service-policy do you have in your FW? Assuming it's one (the default), please paste here the output for the command "show service-policy global".

I'm assuming your ACL and PING/network connectivity is good.

Personally, I think this is an issue with the SIP Recoder Server, based on this message "SIP::Found Expires, 180 seconds" but I stand corrected. Is your SIP able to work in a NAT environment?

Warm regards,
Ramraj Sivagnanam Sivajanam

bo liu · ‎07-28-2012

yes....the sip is able work in a NAT environment.....

except the record,i also use sip call....

following is the call log 200 OK is transfer

[BEGIN] 2012/7/29 9:30:23

SIP::INVITE received from inside:10.10.10.25/5060 to outside:172.16.5.74/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found URI in request line "sip:13311173269@172.16.5.74:5060" (32)

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6" (54)

SIP::Found Max-Forwards 70

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found Expires, 180 seconds

SIP::Found valid SIP URI: sip:56768001@10.10.10.25:5060

SIP::Found Contact sip:56768001@10.10.10.25:5060

SIP::Found Content-type application/sdp

SIP::Found Content-length 210

Found port 5060

Via Port 5060

SIP::Found User-Agent

Found port 5060

SIP::Not updating database for Contact 10.10.10.25/5060, registry database total 0

SIP::Found Expires, 180 seconds

SIP::Found Expires, 1800 seconds

SIP: Media port 25628

SIP::session level connection addr 10.10.10.25, media port 25628

SIP::media level connection addr 10.10.10.25, media port 25628

SIP::Embedded media port 25628 found in SDP with session IP 10.10.10.25

SIP::Audio port 25628 found in SDP

Created SIP session for inside:10.10.10.25/5060 to outside:172.16.5.74/5060, 1 total

From: sip:56768001@10.10.10.25 (24);tag=2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512 (45)

To: sip:13311173269@172.16.5.74 (27)

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

Created SIP Transaction for inside:10.10.10.25/5060 to outside:172.16.5.74/5060

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 INVITE

Branch: z9hG4bK1203cc309e6

SIP:: Forward 1150 bytes, total 1150

SIP::100 received from outside:172.16.5.74/5060 to inside:10.10.10.25/5060

Found port 5060

Via Port 5060

SIP::Found Server

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6;received=10.10.10.25" (75)

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found Contact sip:13311173269@172.16.5.74

SIP::Found Content-length 0

SIP:: Forward 478 bytes, total 478

SIP::180 received from outside:172.16.5.74/5060 to inside:10.10.10.25/5060

Found port 5060

Via Port 5060

SIP::Found Server

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found To addr tag "as0f22e141" (10)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6;received=10.10.10.25" (75)

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found Contact sip:13311173269@172.16.5.74

SIP::Found Content-length 0

SIP::Unable to open dialog pinhole for 10.10.10.25 to 172.16.5.74/0 from dialog forming 1xx Response

SIP:: Forward 494 bytes, total 494

SIP::183 received from outside:172.16.5.74/5060 to inside:10.10.10.25/5060

Found port 5060

Via Port 5060

SIP::Found Server

SIP: Media port 19378

SIP::session level connection addr 172.16.5.74, media port 19378

SIP::media level connection addr 172.16.5.74, media port 19378

SIP::Embedded media port 19378 found in SDP with session IP 172.16.5.74

SIP::Audio port 19378 found in SDP

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found To addr tag "as0f22e141" (10)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6;received=10.10.10.25" (75)

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found Contact sip:13311173269@172.16.5.74

SIP::Found Content-type application/sdp

SIP::Found Content-length 179

SIP::Unable to open dialog pinhole for 10.10.10.25 to 172.16.5.74/0 from dialog forming 1xx Response

SIP:: Forward 715 bytes, total 715

SIP::CANCEL received from inside:10.10.10.25/5060 to outside:172.16.5.74/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 CANCEL

SIP::Found URI in request line "sip:13311173269@172.16.5.74:5060" (32)

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6" (54)

SIP::Found Max-Forwards 70

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found Content-length 0

Found port 5060

Via Port 5060

Created SIP Transaction for inside:10.10.10.25/5060 to outside:172.16.5.74/5060

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 CANCEL

Branch: z9hG4bK1203cc309e6

SIP:: Forward 375 bytes, total 375

SIP::4xx received from outside:172.16.5.74/5060 to inside:10.10.10.25/5060

Found port 5060

Via Port 5060

SIP::Found Server

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 INVITE

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found To addr tag "as0f22e141" (10)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6;received=10.10.10.25" (75)

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found Content-length 0

SIP:: Forward 465 bytes, total 465

SIP::200 received from outside:172.16.5.74/5060 to inside:10.10.10.25/5060

Found port 5060

Via Port 5060

SIP::Found Server

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 CANCEL

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found To addr tag "as0f22e141" (10)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6;received=10.10.10.25" (75)

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found Content-length 0

SIP:: Forward 449 bytes, total 449

SIP::ACK received from inside:10.10.10.25/5060 to outside:172.16.5.74/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 101 ACK

SIP::Found URI in request line "sip:13311173269@172.16.5.74:5060" (32)

SIP::Found valid SIP URI: sip:56768001@10.10.10.25

SIP::Found From addr "sip:56768001@10.10.10.25" (24)

SIP::Found From addr tag "2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512" (45)

SIP::Found valid SIP URI: sip:13311173269@172.16.5.74

SIP::Found To addr "sip:13311173269@172.16.5.74" (27)

SIP::Found To addr tag "as0f22e141" (10)

SIP::Found Via branch "z9hG4bK1203cc309e6" (18)

SIP::Found Via addr "SIP/2.0/UDP 10.10.10.25:5060;branch=z9hG4bK1203cc309e6" (54)

SIP::Found Max-Forwards 70

SIP::Found Call-ID de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

SIP::Found Content-length 0

Found port 5060

Via Port 5060

Created SIP Transaction for inside:10.10.10.25/5060 to outside:172.16.5.74/5060

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 ACK

Branch: z9hG4bK1203cc309e6

Deleted SIP Transaction

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 ACK

Branch: z9hG4bK1203cc309e6

Deleted SIP Transaction

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 CANCEL

Branch: z9hG4bK1203cc309e6

Deleted SIP Transaction

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

CSeq: 101 INVITE

Branch: z9hG4bK1203cc309e6

SIP::Deleting session for 10.10.10.25 to 172.16.5.74, 0 total

From: sip:56768001@10.10.10.25 (24);tag=2f3657b6-ce63-4bb2-9a23-3053c69980b6-30272512 (45)

To: sip:13311173269@172.16.5.74 (27);tag=as0f22e141 (10)

Call-ID: de4a6300-1419207-65c-190a0a0a@10.10.10.25 (41)

Freeing RTP and RTCP conns

SIP:: Freeing offer dialog conn outside:172.16.5.74/0 to inside:172.16.5.90/5060

SIP:: Freeing signaling conn outside:172.16.5.74/0 to inside:172.16.5.90/5060

SIP:: Forward 414 bytes, total 414

[END] 2012/7/29 9:31:49

bo liu · ‎07-28-2012

this is show service-policy global

some SIP parket is droped

[BEGIN] 2012/7/29 9:39:00

sh ser

IPCC-ASA# sh service-policy g

IPCC-ASA# sh service-policy global

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 4868, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 154717, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: skinny , packet 57077, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip , packet 773, drop 76, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 16253

Inspect: netbios, packet 19367, drop 0, reset-drop 0

Inspect: tftp, packet 2, drop 0, reset-drop 0

Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

IPCC-ASA#

[END] 2012/7/29 9:39:18

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

Please do copy and paste the configs shown below into your FW and re-test the connnection. If this doesn't work, please paste your latest config here, so that everyone here can assist you.

policy-map global_policy

class inspection_default

no inspect h323 h225

no inspect h323 ras

no inspect skinny

no inspect sunrpc

no inspect xdmcp

no inspect sip

P/S: If you think this comment is helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Maykol Rojas · ‎07-28-2012

My dear Jesus....

Suuure it will solve it....

This is an inspection issue, the firewall is not seeing a field that it is in fact there... I wouldnt recommend at all removing the inspections for security purposes and besides the clear Fact that the ASA wont be able to re-write the embedded IP addresses on the SIP requests, in other terms... it may break your Voice Over IP infraestructure... (if you have any besides this issue you are facing).

I would recommend you to open a ticket with TAC, if you want I can look it myself....

Mike