01-10-2022 01:36 AM
Hello everybody!
a Happy New Year for you!
At Friday Ip upgraded the ASA5516 cluster from 9.8(2)20 to the suggested release 9.14(3)18.
Thereafter I saw that all S2S tunnels came up again and all looked normally.
This morning the customer called and reported that VoIP does not work anymore.
In the logging I did not see any blocks to or from the voice gateway (192.168.23.253).
The voice gateway could be pinged from the active node.
Because the customer needed his telephones again we decided to go back to release 9.8(2)20 and suddenly the VoIP did work again.
In the ASA upgrade guide I read thet no intermediate upgrade is necessary from 9.8 to 9.14.
Does anyone have an idea if there is momething in the configuration (unchange except the 'boot system' and 'asdm' config command) that has causes the VoIP problem? I don't know where to start seaching for the reason for the issue.
The configuration is attached.
Thanks for every hint!
Bye
R.
Solved! Go to Solution.
01-13-2022 12:14 AM
Hi,
No you can disable inspection even with NAT on. It should still work. But its not secure to NAT CUCM to internet directly. Instead, you should use something like Expressway.
**** please remember to rate useful posts
01-10-2022 03:01 AM
01-10-2022 05:17 AM
Hi Mohammed,
thanks for the hint! Seems to be an attempt worth.
Is the default of the SIP inspection different between AS OS rel. 9.8 to 9.14?
I did not find a document that stated this ...
Thanks a lot!
Bye
Rene
01-10-2022 07:40 AM
01-12-2022 04:36 AM
Hi Mohammed,
in another discussion here:
https://community.cisco.com/t5/network-security/asa-sip-inspection/m-p/2021268/highlight/true#M402947
I read that SIP inspection sould only be diabled if there is no NAT for SIP traffic but this is the case at this customer. Is there any other possibility or should I open a Cisco TAC case?
Thanks a lot!
Bye
Rene
01-10-2022 07:51 AM
Hi Mohammed,
a further question:
Could it not become dangerous if I disable the SIP inspection?
Thanks a lot!
Bye
Rene
01-13-2022 12:14 AM
Hi,
No you can disable inspection even with NAT on. It should still work. But its not secure to NAT CUCM to internet directly. Instead, you should use something like Expressway.
**** please remember to rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide