Re: OUTBOUND CALLS DROP AT 30 SECONDS THROUGH ASA & 2811

veltech · ‎08-29-2017

Hi All,

My first post on the new look forum.

OVERVIEW OF PROBLEM

In our current network, we have a Freepbx SIP server with an ASA5510 facing the internet and a 3750 LAN side with 5 VLANs. Voice has its own VLAN. We are introducing a second ISP connection for capacity and have set up a 2811 with load balancing, IP SLA and tracking. With the current set up of ISP>>ASA>>SWITCH>>PBX everything works fine. The problem we have is when we introduce the 2811 between the ASA and the ISP modem. We then get a problem with outbound calls from our SIP server (freepbx) which consistently drops the outbound call at 30 seconds. All inbound calls work fine all the time, the outbound calls work fine until we get to 30 seconds then the call disconnects.

NEW TOPOLOGY

We have the following flow: ISP>>CISCO 2811>>ASA5510>>LAN SWITCH

NEW CONFIG OVERVIEW

The ISP address is dynamic, the new one will be static, the 2811 is performing basic NAT on the outside interfaces. On the 2811 inside interface to LAN we have a 10.10.10.0 / 30 network. We are running IP SLA monitors as we are about to install the second ISP running load balance and PBR. The outside interface on the ASA is on 10.10.10.2 and the IP PBX is on 172.16.30.254 on VLAN30.

TROUBLESHOOT TO DATE

Turned off SIP ALG on 2811 and ASA - No fix
Looked at the various timers for SIP and UDP – Concluded that all timers set correctly.
Tried various NAT configs on both ASA and 2811 - No fix

I think this is a NAT issue as there is double NAT on the 2811 and ASA and due to only one public IP I have used private addresses on the inside network. The ASA works fine without the 2811 upstream so I think it must be a problem in the double NAT config. The PCAP shows the IP PBX sending the BYE request so I think that the ASA is not seeing a response it should be on the SIP connection. When we get connected at the start of the call we have two way audio so RTP seems fine. This makes me think it is a SIP signalling issue through the NAT. The problem is I can’t pinpoint the problem and am hoping one of you experts can help with this one.

Many thanks in advance.

Flavio Miranda · ‎08-29-2017

I would try two thing. Enable packet inspect on ASA (I saw this help sometimes ago) or use a Stun server.

Dennis Mink · ‎08-29-2017

use pcap on your ASA and filter SIP only verify what teh signalling looks like.

I suspect 3 way handshake is not taking place and 30 seconds is pretty much the timer for that. so you will have 30 seconds of audio until the BYE is sent. if your PBX is sending the BYE, it is not getting an ACK i am guessing.

Please remember to rate useful posts, by clicking on the stars below.

veltech · ‎08-30-2017

Hi All,

Thanks for suggestions. I have packet inspection turned on and have tried with it disabled also. In the PCAP I can see the 3 way handshake taking place which looks fine. The problem is that something is signalling a BYE request through the PBX server. Its not the PBX as this only occurs when I add in the 2811.

Anyone any other suggestions?

Flavio Miranda · ‎08-30-2017

What makes it chanllenging is the 30 seconds, suggestiong that there´s some timer working on it. But, i dont think so.

As you already played with packet inspection, I´d say that NAT is a probably cause here. Is it possible for you to have a STUN server ?