Skinny inspection closes connection

martinbuffleo · ‎01-01-2012

I have a branch office set up were all traffic goes back to the core, iincluding internet acces.

It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.

I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.

I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.

My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?

It's turned on my 5 other branches.

How can I debug why the skinny inspection is closing the connection?

As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?

mirober2 · ‎01-06-2012

Hi Martin,

If the ASA's security policy denies all traffic except TCP/2000, the inspection would be needed to allow the child connections through after the initial TCP/2000 control channel establishes. You would also need to have the inspection enabled if the ASA is performing any NAT on the Skinny traffic.

The best tools to debug the Skinny inspection are debugging (7) level syslogs, 'debug skinny' output, and simultaneous, bi-directional packet captures taken on both sides of the ASA. I would recommend opening a TAC case for additional assistance if the above output doesn't make the issue more clear.

-Mike