Hi everyone,

we've got a problem regarding the SIP Inspection Protocol Helper on the FWSM (Firmware 4.0(10)).

When initiating phone calls via VoIP(SIP), users reported a delay of about 2 secs before hearing the dial tone.

Looking at the firewall logfile at that time reveals Deny-Messages for the RTP-Data between our VoIP-Server

and the VoIP-Provider's gateway. They last exactly the same time (about 2 secs), the users told us:

09:18:12: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0, 0x0]
09:18:12: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst  vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0,  0x0]
(...)

09:18:15: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst  vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0,  0x0]

09:18:15: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst  vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0,  0x0]

After that 2 seconds, we can see no more Deny-Messages. When doing a packet-capture, we even see

normal traffic between the Server and the Gateway.

So it seems, that when using the SIP Inspection Engine on the FWSM, we always have a delay, before the

FWSM dynamically generates the ACEs needed for the RTP-Data.

My question to you is, have you ever seen that behaviour of your Firewall?

Does anyone know, if it's just the lame SIP Protocol Helper, that needs a few secs for creating ACEs?

Or is it a bug and should be treated by the TAC-guys?

Thanks in advance!

Regards,

Marco