Re: SIP NAT over ISR 4300 series broken?

andrewcrab · ‎11-15-2016

So I've had SIP NAT'ed over a 891 for years and years. Then I do a router upgrade to a ISR 4331 and copy the config across modifing the bits that need to be changed and I thought the everything was working fine.

Then I get told by the users that they can't transfer between the phones (SPA303's) and I've tried everything I can think of like disabling ALG for UDP and TCP and removing the ZBF for the VOIP VLAN and still nothing, transfers still fail.

Anybody know of anything special that the 4331's are doing to the INVITE packets, or is it just borked firmware?

4331 is currently running 3.13.4.S.154-3.S4-ext.SPA

Thank you!

Cody Smith · ‎11-03-2017

Despite no help from Cisco (insisting this was not a problem and was acting as expected, not even referencing the below mentioned nat feature), I had to send this to my team.

We’ve ran into a few instances of 4300 routers having problems with SIP implementations/Voice Gateways setups.

The issue appears as the following: If SIP is bound to the same interface that ANY form of NAT is also functioning on, you will see that SIP is being received on the ingress interface (via packet capture) however, is not being processed as a SIP message via the SIP stack. This even applies if the NAT (or its ACL, if used) doesn’t reference SIP at all (ie, nat for phone directories). This problem is due to a default, unchangeable, configuration in the 4300 series 15.X IOS (XE). This is shown when you issue “show ip nat portblock dynamic global detail”. The ports referenced are a range that encompasses 5060.

The fix that has been done recently is to generally route another Loopback. This can now be fixed via either of the two following options:

Change the sip listener port to a port outside the range of the listed blocked ports shown in “show ip nat portblock dynamic global detail”. This can be done under “voice service voip > sip”. You will have to initiate “shutdown” under “sip” to apply the config. With this said, you will have to reference this port on CUCM trunks when pointing towards that device. This will not be a suitable fix if the gateways intends to be used as a CME or CME-SRST router as well unless you want to also change the port the phones communicate to the router on.

Upgrade the router to 16.X firmware. This firmware shows no ports blocked when you issue “show ip nat portblock dynamic global detail”.

dschoolcraft · ‎11-03-2017

I currently have a ticket open for the same issue.. The bug is listed as CSCuy82008, So far TAC has mentioned the following solutions:

Reload the gateway with NAT disabled, and manually enable it, after the gateway finished booting
Use pool overload, instead of interface overload
Use loopback interfaces

Each with it's own issues.. The older 29XX/39XX routers do not have this limitation..

I've requested a confirmation on the upgrade to 16.x Code as a resolution.. In my Scenario:

ISP > ISR4331 (NAT/CUBE Gateway) > LAN. The 4331 runs NAT & SIP as a CCME gateway.. The SIP trunk is bound to the WAN interface. It will register if i take NAT off of the WAN Interface, but it breaks the internet.. The exact configuration was migrated from a 2921 with only interface name modifications.. Calling/SIP registration did work as expected with NAT disabled.

Cody Smith · ‎11-03-2017

Right, well, in our scenario we are generally using the loopback for both nat and sip. This occurs on that (loopback) as well.

Easiest fix is just the upgrade. In 16.6 (Everest) specifically you can actually, manually, change the ports that are blocked if there were any showing up under that show command.

Corey P · ‎11-03-2017

It is worth noting that using a NAT pool did not work when I tried. The only fix we could find (and keep NAT) was to upgrade to 16.x (per Cody) or use a interface without any NAT configured for it.

dschoolcraft · ‎11-03-2017

I tried the upgrade to 16.6.1 and experienced the same behavior, however, after removing NAT from the outside interface and reapplying the SIP trunk Registered and connected..

in 16.6.1 the bug is still present with NAT using the SIP ports:

gateway#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (config) rfcnt 2
545 - 617 (config) rfcnt 2

udp:
5062 - 6085 (config) rfcnt 2
512 - 584 (config) rfcnt 2.

When i went to the latest IOS 16.6.2 posted today, All worked after a reboot.. I'm not sure what else will be broken, but it has a post date of 11/03

The same output is observed on 16.6.2, but the SIP trunk came up on a reboot with no intervention.

gateway#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (config) rfcnt 2
545 - 617 (config) rfcnt 2

udp:
5062 - 6085 (config) rfcnt 2
512 - 584 (config) rfcnt 2

gateway#

dastrix80 · ‎08-09-2018

Hi Guys

I can get SIP to register but not make calls via the WAN with NAT.

Works on the LAN fine. Suspect a NAT/RTP./SIP issue despite a successful SIP registration

Any thoughts?

ISR4331-KK#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (addr change)
545 - 617 (addr change)

udp:
5061 - 6084 (addr change)
512 - 584 (addr change)

ISR4331-KK#

benbollinger · ‎03-21-2019

16.6.5 fixed our issue. We were also running PfR, DMVPN, IWAN, Zone based firewall, SIP CUBE, SRST and A vmware firewall in a module.

sSiDs · ‎11-20-2020

i think they haven't fix it

BORDER-ISR4351#show ip nat portblock dynamic global detail
tcp:
  5062 - 6085 (config)  rfcnt 3
545  -  617 (config)  rfcnt 3

udp:
  5062 - 6085 (config)  rfcnt 3
512  -  584 (config)  rfcnt 3

BORDER-ISR4351#sh ver
Cisco IOS XE Software, Version 16.09.06
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)