2 routers, one drops SIP the other works

seanwaite · ‎05-15-2017

I have 2 identical 4331 ISR routers, and nearly identical configurations. Each is directly connected to a different ISP. My problem I am experiencing is related to an outbound SIP connection to an external service. Both routers function is to merely route, with firewalls behind them. And it is behind the FW that resides a server that makes outbound SIP calls. I have done packet captures at each point from Server1, Cisco ASA inside and outside interfaces, as well as the inside and outside interfaces of the routers.

It is only on the outside interface capture for ISP#1 router that I see the SIP packets dropped. Inside interface capture appears normal. The default gateway on the ASA FW is to use ISP#1 router. However, when I add a static route on the ASA to use ISP#2 router, the SIP connections work. I added in "no ip nat service sip udp port 5060" on ISP#1 router to no effect, voice messaging service fails to connect. Switching back again to ISP#2 router and the connection is made

ISP#1 4331 ISR router
interface GigabitEthernet0/0/0
ip address 207.xx.xx.xx 255.255.255.224
ip nat outside
interface GigabitEthernet0/0/1
ip address 10.x.x.1 255.255.255.0
ip nat inside
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip nat inside source static 10.x.x.100 207.xx.xx.10
ip nat inside source static 10.x.x.101 207.xx.xx.11
ip access-list standard NAT
permit 10.x.x.0 0.0.255.255

ISP#2 4331 ISR router
interface GigabitEthernet0/0/0
ip address 38.xx.xx.xx 255.255.255.248
ip nat outside
interface GigabitEthernet0/0/1
ip address 10.x.x.5 255.255.255.0
ip nat inside
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip nat inside source static 10.x.x.101 38.xx.xx.180
ip nat inside source static 10.x.x.102 38.xx.xx.181
ip access-list standard NAT
permit 10.x.x.0 0.0.255.255

Any tips, suggestions, or ideas on where to look next would be very much appreciated.

Georg Pauwen · ‎05-15-2017

Hello,

I wonder if it might simply be a problem with QoS. Try and apply a simple policy such as the one below to your interface:

ISP#1

class-map match-all VOICE
match ip dscp ef
class-map match-any SIGNALING
match ip dscp cs3
match ip dscp af31

policy-map QOS_VOICE
class VOICE
priority percent 30
class SIGNALING
bandwidth percent 5
class class-default
fair-queue
random-detect dscp-based

interface GigabitEthernet0/0/0
service-policy output QOS_VOICE

That said, which IOS XE version are you running on the ISP#1 router ?

Hitesh Vinzoda · ‎05-15-2017

Please post show ip route from both the routers and share the destination IP of SIP server.

Thanks

Hitesh

Georg Pauwen · ‎05-15-2017

On a side note, make sure that 'ip nat service sip' (which is enabled by default on port 5060) has not accidentally been turned off on ISR#1...

seanwaite · ‎05-16-2017

On ISP#1 I have 03.13.04.S and on ISP#2 I have 03.16.04b.S. When I do "ip nat service sip udp port 5060" it has no effect on either router, the command does not show up in the config. However on a 881 (v 15.2(4)M4) the command does show up in the config.

I do see similar nat translations on each router. I temporarily change default gateway on the ASA to switch between ISP#2 back to ISP#1

ISP#1: udp 207.xx.xx.10:5060 10.1.1.101:5060 205.xx.xx.42:5060 205.xx.xx.42:5060
ISP#2 : udp 38.xx.xx.xx:5060 10.1.1.101:5060 205.xx.xx.42:5060 205.xx.xx.42:5060