Packet Inspection 5515X

lcarbajalparedes · ‎07-15-2012

Hello,

I recently put in production a new firewall 5515X , but we had some issue related to the WoIP and the Video Calls. Our solution for Video its similar to the voip it use UDP to send the images and voice, we notice that at the begining the video calls between 2 offices (VPN site to site) cut for moments or it didnt show the image and sound,

In the case of VoIP (we use a sip provider ) we could not make outbounds calls and received calls.

After some troubleshooting we decide on disable the inspection for the SIP and ICMP after that the Voip works but the video calls didnt work anymore, we enable again the parameters for the SIP and ICMP and the video calls work and the voip no for a while.

What other test can i do in order to find the root of this? the inspection can delay or drop the packets for this 2 services?

Julio Carvajal · ‎07-15-2012

Hello Luis,

Do you have enabled the h323 inspection?

Do you have any content filter in your network?

Does it work when you do a videocall to a device on the internet ( not on the L2L vpn)

That being said I would recommend you to first add the inspections ( SIP,H323 ras and h225) and afterwards do a clear local-host ( with this we will clear al the connections previously established by the ASA so future ones will have the new inspection parameters)

If it does not work then we will need to do captures on both interfaces while the inspections are applied( If is going through the VPN tunnel then just on the inside interface)

Cap capin interface inside circular-buffer tracer match ip host x.x.x.x (local unit host) y.y.y.y (remote device)

If the other VPN endpoint it's an ASA then do the capture on their side as well.

Regards,

Julio

CSC is a free support community, please take your time to rate all of the engineer's answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcarbajalparedes · ‎07-15-2012

Hello,

thank you for your reply about your questions.

- Yes, i had enable the h323 inspection

- there is not content filter in our current network.

-It doesnt work when we tried to call a device on internet. I made the clear conn protocol udp & tcp after i disable the inspection for icmp, sip, and my voip calls work, but the video calls stop to work.i enable the inspections again and it work again the video and with luck the voip calls.

This video solution its special because it needs to chante the udp timeout to at least 30 minutes.

Regards,

Julio Carvajal · ‎07-15-2012

Hello,

Its clear local-host not clear conn!

So when you try to connect to a remote end on the internet, do captures on both interfaces inside/outside

Julio

CSC is a free support community, please take your time to rate all of the engineer's answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcarbajalparedes · ‎07-16-2012

Hello,

We tested today again our internet connection but is still giving us problems, to upload to the VPN or internet is not working , we didnt see any drop or packet loss but we disable some inspect features in order to increase our internet speed and vpn speed.

Regards,

lcarbajalparedes · ‎07-16-2012

Im seeing this in the firewall

}

PERFMON STATS: Current Average

Xlates 16/s 1/s

Connections 44/s 13/s

TCP Conns 30/s 6/s

UDP Conns 7/s 4/s

URL Access 0/s 0/s

URL Server Req 0/s 0/s

TCP Fixup 1742/s 0/s

TCP Intercept Established Conns 0/s 0/s

TCP Intercept Attempts 0/s 0/s

TCP Embryonic Conns Timeout 0/s 0/s

HTTP Fixup 0/s 0/s

FTP Fixup 0/s 0/s

AAA Authen 0/s 0/s

AAA Author 0/s 0/s

AAA Account 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT: Current Average

N/A 1037.50%

Julio Carvajal · ‎07-16-2012

Hello Luis,

You will need to gather the captures with the inspections enabled.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC