08-01-2015 04:25 AM - edited 03-13-2019 09:05 PM
Hi All,
I have an issue with calls over my SIP trunk where the rtp media flow between endpoints stops in both direction after exactly 5 minutes.
The SIP session stays ups. Call length can be extended by performing some sort of mid-call signalling (hold, then un-hold) during the call.
The environment looks like this:
Mobile Phone --> VTSP --> SIP --> CUBE/ZBFW --> SIP -->CUCM --> Cisco IP Phone
The issue can be resolved by disabling the ZBFW.
Here is a snippet of my CUBE/ZBFW config:
boot system flash:c2900-universalk9-mz.SPA.154-3.M3.bin
ip inspect log drop-pkt
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
voice service voip
ip address trusted list
ipv4 {publisher-IP}
ipv4 {Subscriber 1 IP}
ipv4 {Subscriber 2 IP}
ipv4 {VTSP SIP Proxy IP}
address-hiding
mode border-element license capacity 50
allow-connections sip to sip
modem passthrough protocol codec g711alaw
sip
session refresh
midcall-signaling passthru
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
!
!
voice class sip-profiles 100
request INVITE sip-header Remote-Party-ID remove
request INVITE sip-header Remote-Party-ID remove
class-map type inspect match-any SIP-TRAFFIC
description --All SIP Traffic--
match protocol sip
class-map type inspect match-all ICMP_Allow_CMAP
description --Allow ICMP Traffic--
match access-group name ICMP_Allow_ACL
!
policy-map type inspect VOICE-TRAFFIC
class type inspect SIP-TRAFFIC
inspect
class type inspect ICMP_Allow_CMAP
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security CUBE_TO_OUTSIDE_ZP source self destination OUTSIDE
service-policy type inspect VOICE-TRAFFIC
zone-pair security OUTSIDE_TO_CUBE_ZP source OUTSIDE destination self
service-policy type inspect VOICE-TRAFFIC
i
nterface GigabitEthernet0/0
description --Connection to Us/Inside--
ip address xx.xx.xx.xx 255.255.255.0
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description --Connection to VTSP/Outside--
ip address xx.xx.xx.xx 255.255.255.248
zone-member security OUTSIDE
duplex auto
speed auto
dial-peer voice 100 voip
description --Voip in from Us/Inside--
huntstop
session protocol sipv2
incoming called-number .T
voice-class codec 1
voice-class sip profiles 100
dtmf-relay sip-kpml rtp-nte
no vad
dial-peer voice 200 voip
description --Voip in from VTSP--
huntstop
session protocol sipv2
incoming called-number 02XXXXXX..
voice-class codec 1
voice-class sip profiles 100
voice-class sip options-keepalive retry 3
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate disable
no vad
!
dial-peer voice 201 voip
description --Voip out to CUCM 1--
preference 1
destination-pattern 02XXXXXX..
session protocol sipv2
session target ipv4:{Subscriber 1 IP}
voice-class codec 1
voice-class sip early-offer forced
voice-class sip options-keepalive retry 3
dtmf-relay sip-kpml
fax-relay ecm disable
fax rate disable
no vad
!
dial-peer voice 202 voip
description --Voip out to CUCM 2--
preference 2
destination-pattern 02XXXXXX..
session protocol sipv2
session target ipv4:{Subscriber 2 IP}
voice-class codec 1
voice-class sip early-offer forced
voice-class sip options-keepalive retry 3
dtmf-relay sip-kpml
fax-relay ecm disable
fax rate disable
no vad
At the 5 minute mark of a call, there is no indication in the logs of the CUBE that any UDP packets or SIP sessions are being dropped.
There are also no SIP BYE or RE-INVITE messages in the "debug ccsip messages" output.
My work around at the moment is to remove the SIP inspection and implement only UDP inspection between source/destination IP addresses.
It would much prefer to have SIP inspection only.
Am I missing something in my ZBFW configuration to allow SIP calls last longer than 5 minutes?
Perhaps SIP inspection is reacting to something within the SIP messages being sent/received?
Thanks
Kent
08-01-2015 10:34 AM
I prefer simple and stable configuration. instead of inspect sip I do two extended acl from ipv4 {VTSP SIP Proxy IP} to my and back
08-07-2015 04:16 PM
Hi Joshua/Tagir,
Thanks for your replies.
I have implemented UDP inspection only which seems to have removed the issue.
I would seem there is an issue with SIP inspection.
I would be interested to know if anyone else has run into this?
However, I agree, implementing some ACLs would be more than adequate.
Cheers
Kent
08-06-2015 01:21 PM
I just use an Extended ACL on my CUBE interface that faces my provider and open up the ACL for the respective IP Addresses that the Media and Signaling IP Addresses my provider will be TX/RX from.
I think you are making it more complicated than it needs to be by using ZBFW. Honestly I have found that just using CBAC is sufficient in most situations versus ZBFW when needing to firewall a router. I like to keep it simple.
12-10-2018 09:41 AM
The problem here lays to inspection that ZBFW offers. So you can use ACL`s. In case you need to implement inspection to your network and the device supports this only via ZBFW, then you have to configure separate class maps for UDP Ports and link this to policy maps by applying action PASS. This will introduce the requirement for you to configure both way rules since reverse traffic will not be allowed by default. According to your configuration, I suggest the following modifications :
class-map type inspect match-all CUBE_TO_OUTSIDE
description --All incoming RTP Traffic--
match access-group name CUBE_TO_OUTSIDE
class-map type inspect match-all OUTSIDE_TO_CUBE
description --Allow outgoing RTP Traffic--
match access-group name OUTSIDE_TO_CUBE
class-map type inspect match-any SIP-TRAFFIC
description --All SIP Traffic--
match protocol sip
class-map type inspect match-all ICMP_Allow_CMAP
description --Allow ICMP Traffic--
match access-group name ICMP_Allow_ACL
!
! Order within PMAP is significant
policy-map type inspect VOICE-TRAFFIC-IN
class type inspect CUBE_TO_OUTSIDE
pass
class type inspect SIP-TRAFFIC
inspect
class type inspect ICMP_Allow_CMAP
inspect
class class-default
drop log
!
policy-map type inspect VOICE-TRAFFIC-OUT
class type inspect CUBE_TO_OUTSIDE
pass
class type inspect SIP-TRAFFIC
inspect
class type inspect ICMP_Allow_CMAP
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security CUBE_TO_OUTSIDE_ZP source self destination OUTSIDE
service-policy type inspect VOICE-TRAFFIC-OUT
zone-pair security OUTSIDE_TO_CUBE_ZP source OUTSIDE destination self
service-policy type inspect VOICE-TRAFFIC-IN
ip access-list extended CUBE_TO_OUTSIDE
permit udp [CUBE_Subnet] range 16384 32767 [ISP_Subnet] range 16384 32767
ip access-list extended OUTSIDE_TO_CUBE
permit udp [ISP_Subnet] range 16384 32767 [CUBE_Subnet] range 16384 32767
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: