cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
6
Replies

Expressway MRA NAT issue

Attila Horvath
Level 1
Level 1

Hi, 

We have an Expressway C/E pair configured with MRA.

When Jabber endpoint successfully connected, we have sound, and presence.

 

But sometimes the ASA firewall near to Endpoint show packet dropped from Exp-E  upper tcp ports to Endpoint upper TCP port, and Endpoint cannot register to CUCM. (Most of the time the presence is working well.)

 

Obviously these ports are NOT open at firewall (note this is not Expressway side, it is the Client side).

I assume opening this ports is a SIP ALG/Fixup task. But what if we use TLS between Jabber endpoint and Expressway-E? The SIP header and others is encrypted, and firewalls cannot allow ports to come in.

 

Is there any solution? If I know well the TLS encryption is a must between Jabber Endpoint and Expressway-E, and cannot switch off.

 

6 Replies 6

You are actually supposed to turn SIP/H323 inspection off for all Expressway connections.  Instead, configure the "IPv4 static NAT address" on the Expressway-E (which you may have already done) and open all required ports - see this guide for a full list: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-10.pdf

 

SIP inspection built into ASA's and the like will often work some of the time but fail at other times, which is why Cisco tell you to turn it off and just open the required ports and make the Expressway explicitly aware of its NAT'd public IP.

 

 

Hi, 

The NAT in switched on at external interface of Edge. The sound is good between two NAT-ed end - so I assume it is configured correctly .

 

 

Instead of configuration mistake, it is seem to be a bug.

Investigate a bit and found that drop occured after I closed the TLS session (logout).

When TLS session is closed to port 5061 (SIP signaling over TLS) , Expressway-E try to reach endpoint in an upper range port (and obviously ASA drop the packet).

image007.jpg 

 

So we assume this is 

 

Pretty sure that port is in the range that you're supposed to open, can't check now but read the guide and I think that will be in there.

Checked and read all the guides :) , btw this is the Endpoint side firewall drop, 

so it is (most of the time) out of our control. It can be a Mobile ISP fw, an SMB firewall, and so on.

Btw, we assume the problem is cluster related. Have you any suggestion?

https://supportforums.cisco.com/t5/telepresence/expressway-c-amp-e-clustering-issue/td-p/3299859

Btw, we assume the problem is cluster related. Have you any suggestion?

https://supportforums.cisco.com/t5/telepresence/expressway-c-amp-e-clustering-issue/td-p/3299859

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: