Solved: ZBFW "SIP Protocol Violations" - Page 2

snetherland · ‎08-04-2009

We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:

-remote site connected to central site via a vpn tunnel

-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other

-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)

-SIP server is 192.168.14.10 at central site

-Grandstream phones are 172.20.14.0/24 at remote site

The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):

1)phone to server SIP traffic

a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)

b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class

c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes

2)server to phone SIP traffic:

a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)

b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class

c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes

For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.

I have posted this over in the IP Telephony section of Netpro as well.

Any help would be greatly appreciated. Thanks for your time.

Utair Corporation · ‎10-16-2013

They have added support for FTP EPRT and EPSV extensions in 15.2, wich were main reason for upgrade, so i don't want to rollback.

And i've tried workaround - doesnt work. Had to simply pass SIP and RTP.

Also, i've got same results on 15.3(2)T IOS on 2911 router.

SIP devices is all Cisco, VCS-Expressway on one side and Cisco E20 on another.

Richard H. Shores · ‎10-17-2013

I would call TAC and get them involved. It sucks when there are new features introduced in IOS and there are bugs from the start.

Good luck to you!

Best regards!