Solved: Re: ZBFW "SIP Protocol Violations"

snetherland · ‎08-04-2009

We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:

-remote site connected to central site via a vpn tunnel

-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other

-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)

-SIP server is 192.168.14.10 at central site

-Grandstream phones are 172.20.14.0/24 at remote site

The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):

1)phone to server SIP traffic

a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)

b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class

c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes

2)server to phone SIP traffic:

a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)

b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class

c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes

For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.

I have posted this over in the IP Telephony section of Netpro as well.

Any help would be greatly appreciated. Thanks for your time.

sadsiddi · ‎08-11-2009

In the pcap, i see all REGISTER messages. I dont see 100 Trying messages. i believe the pcap was captured when firewall is in place which dropped the non-RFC compliant 100 Trying messages. From the debugs i infer that, the 100 Trying message had "CONTACT" and "REPLY-TO" headers which as per RFC 3261 should not be present. You need to check your SIP gateway why is that sending non-RFC 100 messages. On IOS Firewall, you can skip this strict RFC-3261 check by having the follwoing config.

Class-map type inspect sip class-sip

Match protocol-violation

Policy-map type inspect sip policy-sip

Class type inspect sip class-sip

Allow

Log

class-map type inspect match-any cmap

match protocol sip

policy-map type inspect pmap

class type inspect cmap

inspect

service-policy sip policy-sip

Hope this helps.

View solution in original post

sadsiddi · ‎08-04-2009

What IOS version are you using?.Can you get the output "debug policy-firewall detailed" and "debug policy-firewall prot sip"?

snetherland · ‎08-04-2009

Absolutely I can! Thanks so much for responding. Both routers are running advanced IP services 12.4(24)T1. I should be able to provide you with that output in the morning. I also do currently have packet captures.

Thanks again for your help.

sadsiddi · ‎08-04-2009

Pls post the debugs and packet capture as well, both taken at the same time.

snetherland · ‎08-10-2009

sadsiddi,

Thanks so much for your help. I appologize it took me a little time to get back with you. I have the "debug policy-firewall protocol sip" output attached, as well as some brief packet-captures from around the same time. I'm going to set this up in a lab to gain more information shortly.

Thanks again for your assistance, and please feel free to make any recommendations.

sadsiddi · ‎08-11-2009

In the pcap, i see all REGISTER messages. I dont see 100 Trying messages. i believe the pcap was captured when firewall is in place which dropped the non-RFC compliant 100 Trying messages. From the debugs i infer that, the 100 Trying message had "CONTACT" and "REPLY-TO" headers which as per RFC 3261 should not be present. You need to check your SIP gateway why is that sending non-RFC 100 messages. On IOS Firewall, you can skip this strict RFC-3261 check by having the follwoing config.

Class-map type inspect sip class-sip

Match protocol-violation

Policy-map type inspect sip policy-sip

Class type inspect sip class-sip

Allow

Log

class-map type inspect match-any cmap

match protocol sip

policy-map type inspect pmap

class type inspect cmap

inspect

service-policy sip policy-sip

Hope this helps.

snetherland · ‎08-12-2009

sadsiddi,

Thanks so much for your response. We are investigating the strange non-RFC headers you mentioned in your post. We did make adjustments to our current firewall config and are now able to make calls from the phones. Thank you very much for your assistance.

I actually ran a few more debugs and tried to get concurrent packet captures. I am posting some output from our most recent testing after making the modifications to our ZBFW config.

I am still seeing quite a few dropped packets, but again I want to stress that right now we are very happy that we're just able to make calls.

We appreciate all of your help, and please feel free to make any recommendations.

ROBERTO TACCON · ‎09-11-2009

Hi,

I've the same problem but how I can configure to skip the SIP check on the "

policy-map type inspect policy-trust-untrust" ?

When I try to attach the child policy the IOS tell me the following:

CISCO2811-VR-IT(config)#policy-map type inspect policy-trust-untrust

CISCO2811-VR-IT(config-pmap)#class type inspect class-trust-untrust

CISCO2811-VR-IT(config-pmap-c)#service-policy sip policy-sip

Deep packet inspection action of the configured type not applicable to protocol "ftp" in class "class-trust-untrust". Please remove the protocol and try.

Unable to attach child policy

Please can you help me in a configuration like the following:

class-map type inspect sip match-any class-sip

description ** SIP PROTOCOL

match protocol-violation

class-map type inspect match-any class-untrust-trust

description ** INTERNET TO INSIDE

match protocol telnet

match protocol ssh

match protocol icmp

class-map type inspect match-any class-trust-untrust

description ** INSIDE TO INTERNET

match protocol sip

match protocol ftp

match protocol ftps

match protocol sip-tls

match protocol pptp

match protocol tftp

match protocol stun

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect policy-untrust-trust

class type inspect class-untrust-trust

inspect

class class-default

drop log

policy-map type inspect policy-trust-untrust

class type inspect class-trust-untrust

inspect

class class-default

drop log

policy-map type inspect sip policy-sip

class type inspect sip class-sip

allow

log

!

zone security trust

zone security untrust

zone-pair security trust-untrust source trust destination untrust

service-policy type inspect policy-trust-untrust

zone-pair security untrust-trust source untrust destination trust

service-policy type inspect policy-untrust-trust

!

ROBERTO TACCON · ‎09-11-2009

Hi;

please can you check the following configuration.

I've try to configure to skip the SIP protocol violation but the IOS drop:

!

class-map type inspect sip match-any class-sip

description ** SIP PROTOCOL

match protocol-violation

class-map type inspect match-any class-sip-trust-untrust

match protocol sip

class-map type inspect match-any class-untrust-trust

description ** INTERNET TO INSIDE

match protocol telnet

match protocol ssh

match protocol icmp

class-map type inspect match-any class-trust-untrust

description ** INSIDE TO INTERNET

match protocol sip

match protocol ftp

match protocol ftps

match protocol sip-tls

match protocol pptp

match protocol tftp

match protocol stun

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect policy-untrust-trust

class type inspect class-untrust-trust

inspect

class class-default

drop log

policy-map type inspect sip policy-sip

class type inspect sip class-sip

allow

log

policy-map type inspect policy-trust-untrust

class type inspect class-sip-trust-untrust

inspect

service-policy sip policy-sip

class type inspect class-trust-untrust

inspect

class class-default

drop log

!

zone security trust

zone security untrust

zone-pair security trust-untrust source trust destination untrust

service-policy type inspect policy-trust-untrust

zone-pair security untrust-trust source untrust destination trust

service-policy type inspect policy-untrust-trust

!

CISCO2811-VR-IT#

015590: Sep 11 15:32:22.932 CET: CCE: CBAC SIP: Multiple VIA Headers found

015591: Sep 11 15:32:22.932 CET: CCE: sip_fetch_record_route_addr

015592: Sep 11 15:32:22.932 CET: CCE: sip_fetch_sip_URI

015593: Sep 11 15:32:22.932 CET: CCE: sip_fetch_sip_URI

015594: Sep 11 15:32:22.932 CET: CCE: sip_fetch_to_addr

015595: Sep 11 15:32:22.932 CET: CCE: sip_fetch_sip_URI

015596: Sep 11 15:32:22.932 CET: CCE: sip_fetch_from_addr

015597: Sep 11 15:32:22.932 CET: CCE: sip_fetch_sip_URI

015598: Sep 11 15:32:22.932 CET: CCE: sip_fetch_cseq

015599: Sep 11 15:32:22.932 CET: CCE: sip_fetch_seq_no

015600: Sep 11 15:32:22.932 CET: CCE: SIP: Err: protocol-voilation checking: Message 180 is not permitted in state Transaction Init

015601: Sep 11 15:32:22.932 CET: FIREWALL sis 4A6100C0: *** protocol error found ***

015602: Sep 11 15:32:22.932 CET: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Transaction) - dropping udp session 192.168.1.55:58140 83.211.227.21:5060 on zone-pair trust-untrust class class-sip-trust-untrust

015603: Sep 11 15:32:22.932 CET: FIREWALL: Pregen without any dialog

015604: Sep 11 15:32:22.936 CET: FIREWALL: Pregen without any dialog

015605: Sep 11 15:32:22.936 CET: FIREWALL sis 4A6100C0: Sis extension deleted

015606: Sep 11 15:32:22.936 CET: CCE: I2R = 1, source = 192.168.1.55:58140, dest = 83.211.227.21:5060, state_object = 0x0, data_len = 4

015607: Sep 11 15:32:22.936 CET: CCE: SIP: Err: Response Invalid

015608: Sep 11 15:32:22.936 CET: FIREWALL sis 4A6100C0: *** protocol error found ***

015609: Sep 11 15:32:22.936 CET: FIREWALL sis 4A6100C0: Sis extension deleted

015653: Sep 11 15:43:22.948 CET: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Transaction) - dropping udp session 192.168.1.55:58140 83.211.227.21:5060 on zone-pair trust-untrust class class-sip-trust-untrust

015654: Sep 11 15:44:22.952 CET: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Transaction) - dropping udp session 192.168.1.55:58140 83.211.227.21:5060 on zone-pair trust-untrust class class-sip-trust-untrust

sadsiddi · ‎09-18-2009

Do you still face the issue?

ROBERTO TACCON · ‎09-18-2009

Yes the problems with SIP phones persist !

1)- How can I disable the SIP protocol inspection (but leave SIP ALG active) ?

2)- FYI: WITH A cisco PIX/ASA version 7.x the IP SIP phone works perfectly/correctly !

3) how I can configure the IOS to log (by syslog) every sessions created/dopped/... by the IOS zone firewall ?

I've configured the following but the firewall ONLY log the dropped packets.

...

ip inspect log drop-pkt

ip inspect audit-trail

4) "Please can you confirm me that the IOS ZONE based firewall is configured correctly: the inside lan need to connect to an external SIP gateway.

I've tried to configure the firewall to "bypass" the SIP check (but still use the SIP ALG) but still not working.

!

ip inspect log drop-pkt

ip inspect audit-trail

!

class-map type inspect sip match-any class-sip

description ** SIP PROTOCOL

match protocol-violation

class-map type inspect match-any class-sip-trust-untrust

match protocol sip

class-map type inspect match-any class-untrust-trust

description ** INTERNET TO INSIDE

match protocol telnet

match protocol ssh

match protocol icmp

class-map type inspect match-any class-trust-untrust

description ** INSIDE TO INTERNET

match protocol sip

match protocol ftp

match protocol ftps

match protocol sip-tls

match protocol pptp

match protocol tftp

match protocol stun

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect policy-untrust-trust

class type inspect class-untrust-trust

inspect

class class-default

drop log

policy-map type inspect sip policy-sip

class type inspect sip class-sip

allow

log

policy-map type inspect policy-trust-untrust

class type inspect class-sip-trust-untrust

inspect

service-policy sip policy-sip

class type inspect class-trust-untrust

inspect

class class-default

drop log

!

zone security trust

zone security untrust

zone-pair security trust-untrust source trust destination untrust

service-policy type inspect policy-trust-untrust

zone-pair security untrust-trust source untrust destination trust

service-policy type inspect policy-untrust-trust

!

interface FastEthernet0/0

description ** INSIDE LAN

ip address 192.168.1.199 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security trust

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface ATM0/0/0

description *** connected to INTERNET

bandwidth 24000

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip virtual-reassembly

load-interval 30

no atm ilmi-keepalive

pvc tiscali 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Dialer0

description *** connected to INTERNET

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security untrust

encapsulation ppp

load-interval 30

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxx@xxxxxxxxxx

ppp chap password xxxxxxxxxxxxxx

ppp ipcp dns request

!

CISCO2811-VR-IT#sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Do you need anything else (the debug packets) ?

THANKS for your help!

RosInterBank · ‎07-24-2012

Is this problem solved?

I'm running 891 with adv. ip services and have same problem. IOS from c890-universalk9-mz.152-2.T

Yes, sip are broken on some sip-gateways, programmers of remote gateways know about it and not going to do anything with it, thats not a question, and we have to live with it. Question is how to turn off "%AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Transaction) - dropping udp session". Looks like allowing protocol-violation not working or i'm doing something wrong. Here is config:

class-map type inspect sip match-any class-sip

match protocol-violation

policy-map type inspect sip policy-sip

class type inspect sip class-sip

allow

log

class-map type inspect match-any sip

match protocol sip

policy-map type inspect voice-internet

class type inspect sip

inspect

service-policy sip policy-sip

Log:

.

CCE: SIP: Err: protocol-voilation checking: Message 200 is not permitted in state Transaction Init

FIREWALL sis 89443BA0: *** protocol error found ***

%AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Transaction) - dropping udp session x.x.x.x:5060 y.y.y.y:5060 on zone-pair data-internet class sip

.

It migth be message 180, or whatever message.

"policy-map type inspect sip policy-sip" just not allowing, but it logging (3rd line in log).

Richard H. Shores · ‎06-27-2013

Just to keep this thread going...the problem still exists with 15.2(4)M3. I had to downgrade to 15.1(4)M6 to fix the problem on a 7206VXR router.

Best regards

Utair Corporation · ‎10-16-2013

Just stumbled upon AIC-4-SIP_PROTOCOL_VIOLATION in 15.2(4)M5

Any way for workaround? L7 inspection is needed for dynamic RTP pass.

Richard H. Shores · ‎10-16-2013

To Utair Corporation:

Looks like the bug is in all 15.2M releases per

Bug CSCui66278 ZBF: SIP inspection drops legitimate packets as protocol violation

https://tools.cisco.com/bugsearch/bug/CSCui66278/?referring_site=ss

It is fixed in 15.3 and 15.4 IOS releases, which is only available for the latest Cisco router products. Check the bug info, as it has a workaround, but it may affect your L7 inspection.

As I posted above back in June 2013, the problem went away for me with 15.1(4)M6.

Hope this helps!

Best regards!