Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3009
Views
0
Helpful
4
Replies

SIP Trunk, CUBE and Zone-Based Policy Firewalls

hanlykent
Level 1
Level 1

‎08-01-2015 04:25 AM - edited ‎03-13-2019 09:05 PM

Hi All,

 

I have an issue with calls over my SIP trunk where the rtp media flow between endpoints stops in both direction after exactly 5 minutes.

The SIP session stays ups.  Call length can be extended by performing some sort of mid-call signalling (hold, then un-hold) during the call.

 

The environment looks like this:

 

Mobile Phone --> VTSP --> SIP --> CUBE/ZBFW --> SIP -->CUCM --> Cisco IP Phone

 

The issue can be resolved by disabling the ZBFW

 

Here is a snippet of my CUBE/ZBFW config:

 

boot system flash:c2900-universalk9-mz.SPA.154-3.M3.bin

 

ip inspect log drop-pkt
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
 

 

voice service voip
 ip address trusted list
  ipv4 {publisher-IP}
  ipv4 {Subscriber 1 IP}
  ipv4 {Subscriber 2 IP}
  ipv4 {VTSP SIP Proxy IP}
 address-hiding
 mode border-element license capacity 50
 allow-connections sip to sip
 modem passthrough protocol codec g711alaw
 sip      
  session refresh
  midcall-signaling passthru
!         
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
!         
!         
voice class sip-profiles 100
 request INVITE sip-header Remote-Party-ID remove 
 request INVITE sip-header Remote-Party-ID remove 

 


class-map type inspect match-any SIP-TRAFFIC
  description --All SIP Traffic--
 match protocol sip
class-map type inspect match-all ICMP_Allow_CMAP
  description --Allow ICMP Traffic--
 match access-group name ICMP_Allow_ACL
!
policy-map type inspect VOICE-TRAFFIC
 class type inspect SIP-TRAFFIC
  inspect 
 class type inspect ICMP_Allow_CMAP
  inspect 
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security CUBE_TO_OUTSIDE_ZP source self destination OUTSIDE
 service-policy type inspect VOICE-TRAFFIC
zone-pair security OUTSIDE_TO_CUBE_ZP source OUTSIDE destination self
 service-policy type inspect VOICE-TRAFFIC

i

nterface GigabitEthernet0/0
 description --Connection to Us/Inside--
 ip address xx.xx.xx.xx 255.255.255.0
 zone-member security INSIDE
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description --Connection to VTSP/Outside--
 ip address xx.xx.xx.xx 255.255.255.248
 zone-member security OUTSIDE
 duplex auto
 speed auto

 

dial-peer voice 100 voip
 description --Voip in from Us/Inside--
 huntstop
 session protocol sipv2
 incoming called-number .T
 voice-class codec 1  
 voice-class sip profiles 100
 dtmf-relay sip-kpml rtp-nte
 no vad

 

dial-peer voice 200 voip
 description --Voip in from VTSP--
 huntstop
 session protocol sipv2
 incoming called-number 02XXXXXX..
 voice-class codec 1  
 voice-class sip profiles 100
 voice-class sip options-keepalive retry 3
 dtmf-relay rtp-nte
 fax-relay ecm disable
 fax rate disable
 no vad
!
dial-peer voice 201 voip
 description --Voip out to CUCM 1--
 preference 1
 destination-pattern 02XXXXXX..
 session protocol sipv2
 session target ipv4:{Subscriber 1 IP}
 voice-class codec 1  
 voice-class sip early-offer forced
 voice-class sip options-keepalive retry 3
 dtmf-relay sip-kpml
 fax-relay ecm disable
 fax rate disable
 no vad
!
dial-peer voice 202 voip
 description --Voip out to CUCM 2--
 preference 2
 destination-pattern 02XXXXXX..
 session protocol sipv2
 session target ipv4:{Subscriber 2 IP}
 voice-class codec 1  
 voice-class sip early-offer forced
 voice-class sip options-keepalive retry 3
 dtmf-relay sip-kpml
 fax-relay ecm disable
 fax rate disable
 no vad

 

At the 5 minute mark of a call, there is no indication in the logs of the CUBE that any UDP packets or SIP sessions are being dropped.

There are also no SIP BYE or RE-INVITE messages in the "debug ccsip messages" output.

 

My work around at the moment is to remove the SIP inspection and implement only UDP inspection between source/destination IP addresses.

It would much prefer to have SIP inspection only.

 

Am I missing something in my ZBFW configuration to allow SIP calls last longer than 5 minutes?

Perhaps SIP inspection is reacting to something within the SIP messages being sent/received?

 

Thanks

 

Kent

 

 

 

Labels:
0 Helpful
4 Replies 4

Tagir Temirgaliyev
Spotlight
Spotlight

‎08-01-2015 10:34 AM

I prefer simple and stable configuration. instead of inspect sip I do two extended acl from  ipv4 {VTSP SIP Proxy IP} to my and back

0 Helpful

hanlykent
Level 1
Level 1
In response to Tagir Temirgaliyev

‎08-07-2015 04:16 PM

Hi Joshua/Tagir,

 

Thanks for your replies.

 

I have implemented UDP inspection only which seems to have removed the issue.

I would seem there is an issue with SIP inspection.

I would be interested to know if anyone else has run into this?

 

However, I agree, implementing some ACLs would be more than adequate.

 

Cheers

 

Kent

 

 

 

0 Helpful

Joshua Fontenot
Level 1
Level 1

‎08-06-2015 01:21 PM

I just use an Extended ACL on my CUBE interface that faces my provider and open up the ACL for the respective IP Addresses that the Media and Signaling IP Addresses my provider will be TX/RX from.

I think you are making it more complicated than it needs to be by using ZBFW.  Honestly I have found that just using CBAC is sufficient in most situations versus ZBFW when needing to firewall a router.  I like to keep it simple.

0 Helpful

ioalexiou
Level 1
Level 1
In response to Joshua Fontenot

‎12-10-2018 09:41 AM

The problem here lays to inspection that ZBFW offers. So you can use ACL`s. In case you need to implement inspection to your network and the device supports this only via ZBFW, then you have to configure separate class maps for UDP Ports and link this to policy maps by applying action PASS. This will introduce the requirement for you to configure both way rules since reverse traffic will not be allowed by default. According to your configuration, I suggest the following modifications :

 


class-map type inspect match-all CUBE_TO_OUTSIDE
  description --All incoming RTP Traffic--
 match access-group name CUBE_TO_OUTSIDE
class-map type inspect match-all OUTSIDE_TO_CUBE
  description --Allow outgoing RTP Traffic--
 match access-group name OUTSIDE_TO_CUBE
class-map type inspect match-any SIP-TRAFFIC
  description --All SIP Traffic--
 match protocol sip
class-map type inspect match-all ICMP_Allow_CMAP
  description --Allow ICMP Traffic--
 match access-group name ICMP_Allow_ACL
!
! Order within PMAP is significant
policy-map type inspect VOICE-TRAFFIC-IN
 class type inspect CUBE_TO_OUTSIDE
  pass
 class type inspect SIP-TRAFFIC
  inspect
 class type inspect ICMP_Allow_CMAP
  inspect
 class class-default
  drop log
!
policy-map type inspect VOICE-TRAFFIC-OUT
  class type inspect CUBE_TO_OUTSIDE
  pass
 class type inspect SIP-TRAFFIC
  inspect
 class type inspect ICMP_Allow_CMAP
  inspect
 class class-default
  drop log
!


zone security INSIDE
zone security OUTSIDE
zone-pair security CUBE_TO_OUTSIDE_ZP source self destination OUTSIDE
 service-policy type inspect  VOICE-TRAFFIC-OUT
zone-pair security OUTSIDE_TO_CUBE_ZP source OUTSIDE destination self
 service-policy type inspect VOICE-TRAFFIC-IN

ip access-list extended  CUBE_TO_OUTSIDE
 permit udp [CUBE_Subnet] range 16384 32767 [ISP_Subnet] range 16384 32767

ip access-list extended  OUTSIDE_TO_CUBE
 permit udp [ISP_Subnet] range 16384 32767 [CUBE_Subnet] range 16384 32767

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents