Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4045
Views
5
Helpful
2
Replies

NO Inspect SIP

Go to solution
S.mooney12
Level 1
Level 1

‎07-11-2018 08:46 AM - edited ‎02-21-2020 07:58 AM

Hi Guys

 

Ran into an issue today with our VOIP service provider, calls were not coming through, a quick call to the service provider suggested to turn of SIP inspection, and yep it works.

 

My question is if SIP is not being inspected and we have no ACL how does this work?

 

 

Thanks 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎07-11-2018 04:33 PM

when you turn SIP inspection off, you essentially pass on SIP traffic (most likely based on udp/5060 and 61 or tcp).   the ASA will then not "intelligently" inspect SIP protocol headers and dynamically open up RTP ports based on the inspection.  SIP inspection can be a bit of a double edged sword. sometimes it creates problems, sometimes it fixes them 

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

2 Replies 2

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎07-11-2018 04:33 PM

when you turn SIP inspection off, you essentially pass on SIP traffic (most likely based on udp/5060 and 61 or tcp).   the ASA will then not "intelligently" inspect SIP protocol headers and dynamically open up RTP ports based on the inspection.  SIP inspection can be a bit of a double edged sword. sometimes it creates problems, sometimes it fixes them 

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
David_Mason
Level 1
Level 1

‎10-01-2021 12:06 PM

@Dennis Mink we recently had a very similar issue.  

Here's the setup:

We have a global deny policy - no ACL, no pass. 

We did not have ACLs allowing traffic to flow through a firewall to our CUBEs.

SIP inspection was ON.

Calls are flowing.

 

Change to inspection policy - do not match (inspect) for a single IP.

We apply policy and no new RTP is set up, resulting in calls coming through with no audio.

We quickly put ACLs in place to allow our SIP endpoints (Soft Phones) a path to the CUBEs.

Calls start flowing.

Inspection policy is still in place.

 

We open a TAC case and the agent says it should have never worked without ACLs.

 

I'm a little confused.  Should the inspection policy dynamically create pathways for SIP traffic or is an ACL required?  it seems to be as of right now, at least, but the doesn't explain the last few years.  Of note - this is the first time we've touched the inspection policy in our tenure here.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card