Query ASA inspect sip function

Robinyang · ‎09-06-2018

Hi all,

below is my network topoloby.

inspect SIP is enabled by default. it will create a lot of sessions which doenst even pass through the firewall and caused connection limit alarm "Resource 'conns' limit of 250000 reached for system".

from output of "show connection all", we can see a lot of connection from outside to outside:

UDP outside 10.10.200.100:26015 outside 10.208.1.157:0, idle 0:00:05, bytes 0, flags mi

2018-09-05T00:12:28+08:00 BJYZ-ASA5516 : %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:10.10.200.100/32316 to outside:10.208.1.157 from 183 message

2018-09-05T00:12:28+08:00 BJYZ-ASA5516 : %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:10.10.200.100/32317 to outside:10.208.1.157 from 183 message

2018-09-05T00:12:28+08:00 BJYZ-ASA5516 : %ASA-6-607001: Pre-allocate SIP RTP secondary channel for outside:10.208.1.157/10018 to outside:10.10.200.100 from 183 message

2018-09-05T00:12:28+08:00 BJYZ-ASA5516 : %ASA-6-607001: Pre-allocate SIP RTCP secondary channel for outside:10.208.1.157/10019 to outside:10.10.200.100 from 183 message

I have tried to use following policy-map to set max connection for these sessions. but it doesn't work.

access-list Invalid-RTP extended permit ip host x.x.x.x host y.y.y.y

access-list Invalid-RTP extended permit ip host y.y.y.y host x.x.x.x

class-map Invalid-RTP

match access-list Invalid-RTP

policy-map global_policy

class Invalid-RTP

set connection conn-max 1

Now I use "no inspect sip" to disable SIP inspection and reduced the connection session.

But it is a temporary solution. Is there anyway that i can both enable sip inspection and some other method to filter/limit these "from outside to outside" session ?

Thanks,