Hi Cisco IOS SMEs,
there have been some prior posts on this subject, but they are very old and relate to much less recent IOS versions:
I am running IOS 15.5(3)M7 on 2901 ISR Router and am in process of trying to get SIP Trunk configured with CME on the router, but has issue with this and so started to test with SW sip user agent (Blink Pro). My trunk provider is using Cisco Broadworks SIP Server.
As part of testing I have put SIP devices in DMZ with public IP address so as to avoid any potential NAT/SIP complications.
Based on reading other posts relating to getting SIP_PROTOCOL_VIOLATION reports (via log) I have configured the following set of definitions into my configuration:
<<start of snippet>>
class-map type inspect sip match-any SIP-MESSAGE
class-map type inspect match-all SIP-FW-PROTOCOL
match protocol sip
policy-map type inspect sip SIP-ACTION
class type inspect sip SIP-MESSAGE
policy-map type inspect POLICY-DMZ-OUT
class type inspect SIP-FW-PROTOCOL
service-policy sip SIP-ACTION
<<end of snippet>
So even when I have configured this I am getting the following result:
004654: Jan 24 08:25:14.844 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Content length invalid / Non-SIP MSG recvd) - dropping udp session 203.XX.XX.40:62509 45.XX.1XX.232:5060 on zone-pair ZP-DMZ-OUT class SIP-FW-PROTOCOL
My testing has found that the violation occurs during INVITE exchange. REGISTER completes successfully, without any SIP Protocol Violations.
So the documented work around for protocol violations itself does not appear to be working.
Can anyone please advise.
As the response is coming from Cisco Broadwork server, I am very surprised that Cisco IOS FW is not handling traffic ...
Thanks in advance for any suggestions.
Hi IOS SMEs,
can anyone please confirm expect behaviour of the work around outlined in this bug report, which is consistent with the configuration I posted.
Here is bug link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl58680
In the text of link it says:
"This is an enhancement to just drop the packet in these cases and not the entire UDP session and child connections"
My expectation of added the service-policy:
<<-- snippet -->>
class-map type inspect sip match-any allow-violations
policy-map type inspect sip allow-violations
class type inspect sip allow-violations
policy-map type inspect self->out
class type inspect self->out
service-policy sip allow-violations
<<-- snippet -->>
would be to not drop the packet and let it pass through.
Am I wrong in this thinking ?