Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
5
Helpful
6
Replies

VoIP does not work anymore after ASA upgrade from 9.8 to 9.14

Go to solution
swscco001
Level 1
Level 1

‎01-10-2022 01:36 AM

Hello everybody!

 

a Happy New Year for you!

 

At Friday Ip upgraded the ASA5516 cluster from 9.8(2)20 to the suggested release 9.14(3)18.

 

Thereafter I saw that all S2S tunnels came up again and all looked normally.

This morning the customer called and reported that VoIP does not work anymore.

 

In the logging I did not see any blocks to or from the voice gateway (192.168.23.253).


The voice gateway could be pinged from the active node.

 

Because the customer needed his telephones again we decided to go back to release 9.8(2)20 and suddenly the VoIP did work again.

 

In the ASA upgrade guide I read thet no intermediate upgrade is necessary from 9.8 to 9.14.

 

Does anyone have an idea if there is momething in the configuration (unchange except the 'boot system' and 'asdm' config command) that has causes the VoIP problem? I don't know where to start seaching for the reason for the issue.

 

The configuration is attached.

 

Thanks for every hint!

 

 

Bye
R.

Preview file
259 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to swscco001

‎01-13-2022 12:14 AM

Hi,

 

No you can disable inspection even with NAT on. It should still work. But its not secure to NAT CUCM to internet directly. Instead, you should use something like Expressway.

 

**** please remember to rate useful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-10-2022 03:01 AM

Hi,

After the upgrade, please go ahead and disable sip inspection from global
service-policy which is created by default.

**** please remember to rate useful posts
0 Helpful

Go to solution
swscco001
Level 1
Level 1
In response to Mohammed al Baqari

‎01-10-2022 05:17 AM

Hi Mohammed,

 

thanks for the hint! Seems to be an attempt worth.

 

Is the default of the SIP inspection different between AS OS rel. 9.8 to 9.14?

I did not find a document that stated this ...


Thanks a lot!



Bye
Rene

 

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to swscco001

‎01-10-2022 07:40 AM

There is no difference which I read but I have faced same problem with
different versions.

**** please remember to rate useful posts

Go to solution
swscco001
Level 1
Level 1
In response to Mohammed al Baqari

‎01-12-2022 04:36 AM

Hi Mohammed,

 

in another discussion here:
https://community.cisco.com/t5/network-security/asa-sip-inspection/m-p/2021268/highlight/true#M402947

 

I read that SIP inspection sould only be diabled if there is no NAT for SIP traffic but this is the case at this customer. Is there any other possibility or should I open a Cisco TAC case?

 

Thanks a lot!


Bye

Rene

0 Helpful

Go to solution
swscco001
Level 1
Level 1
In response to swscco001

‎01-10-2022 07:51 AM

Hi Mohammed,


a further question:

Could it not become dangerous if I disable the SIP inspection?

Thanks a lot!



Bye
Rene

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to swscco001

‎01-13-2022 12:14 AM

Hi,

 

No you can disable inspection even with NAT on. It should still work. But its not secure to NAT CUCM to internet directly. Instead, you should use something like Expressway.

 

**** please remember to rate useful posts

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card