Showing results for 
Search instead for 
Did you mean: 

Unable to log into the Microsoft Windows 2003 Live Communication server through the PIX/ASA firewall version 7.x


Core issue

This issue is due to the absence of inspection for the Session Initiation Protocol (SIP) that uses port 5060.

Instant Messaging (IM) refers to the transfer of messages in near real-time. The MESSAGE/INFO methods and 202 Accept response support IM as defined in these Requests for Comments (RFCs):

  • Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265
  • Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428

The MESSAGE/INFO requests can arrive at any time after a registration or a subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes, which timeout in accordance with the configured SIP timeout value. This value must be configured for at least five minutes longer than the subscription duration. The Contact Expires value defines the subscription duration and is typically 30 minutes.

Because the MESSAGE/INFO requests are typically sent through a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.

Note: The SIP also enables Voice over IP (VoIP) calls. The SIP works with the Secure Device Provisioning (SDP) for call signaling.


In order to resolve this issue, enable inspection for SIP on the security appliance with the inspect sip command.

Refer to this configuration example:

hostname (config)#policy-map global_policy
hostname (config-pmap)#
class inspection_default
hostname (config-pmap-c)#inspect sip

hostname (config)#class class_sip_udp
hostname (config-cmap)#inspect sip

Content for Community-Ad