Core issue
This issue is due to the absence of inspection for the Session Initiation Protocol (SIP) that uses port 5060.
Instant Messaging (IM) refers to the transfer of messages in near real-time. The MESSAGE/INFO methods and 202 Accept response support IM as defined in these Requests for Comments (RFCs):
Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265
Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428
The MESSAGE/INFO requests can arrive at any time after a registration or a subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes, which timeout in accordance with the configured SIP timeout value. This value must be configured for at least five minutes longer than the subscription duration. The Contact Expires value defines the subscription duration and is typically 30 minutes.
Because the MESSAGE/INFO requests are typically sent through a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.
Note: The SIP also enables Voice over IP (VoIP) calls. The SIP works with the Secure Device Provisioning (SDP) for call signaling.
Resolution
In order to resolve this issue, enable inspection for SIP on the security appliance with the inspect sip command.
Refer to this configuration example:
hostname (config)#policy-map global_policy
hostname (config-pmap)#class inspection_default
hostname (config-pmap-c)#inspect sip
hostname (config)#class class_sip_udp
hostname (config-cmap)#inspect sip