11-15-2016 02:01 AM
So I've had SIP NAT'ed over a 891 for years and years. Then I do a router upgrade to a ISR 4331 and copy the config across modifing the bits that need to be changed and I thought the everything was working fine.
Then I get told by the users that they can't transfer between the phones (SPA303's) and I've tried everything I can think of like disabling ALG for UDP and TCP and removing the ZBF for the VOIP VLAN and still nothing, transfers still fail.
Anybody know of anything special that the 4331's are doing to the INVITE packets, or is it just borked firmware?
4331 is currently running 3.13.4.S.154-3.S4-ext.SPA
Thank you!
11-03-2017 07:58 AM
Despite no help from Cisco (insisting this was not a problem and was acting as expected, not even referencing the below mentioned nat feature), I had to send this to my team.
We’ve ran into a few instances of 4300 routers having problems with SIP implementations/Voice Gateways setups.
The issue appears as the following: If SIP is bound to the same interface that ANY form of NAT is also functioning on, you will see that SIP is being received on the ingress interface (via packet capture) however, is not being processed as a SIP message via the SIP stack. This even applies if the NAT (or its ACL, if used) doesn’t reference SIP at all (ie, nat for phone directories). This problem is due to a default, unchangeable, configuration in the 4300 series 15.X IOS (XE). This is shown when you issue “show ip nat portblock dynamic global detail”. The ports referenced are a range that encompasses 5060.
The fix that has been done recently is to generally route another Loopback. This can now be fixed via either of the two following options:
11-03-2017 08:35 AM
I currently have a ticket open for the same issue.. The bug is listed as CSCuy82008, So far TAC has mentioned the following solutions:
Each with it's own issues.. The older 29XX/39XX routers do not have this limitation..
I've requested a confirmation on the upgrade to 16.x Code as a resolution.. In my Scenario:
ISP > ISR4331 (NAT/CUBE Gateway) > LAN. The 4331 runs NAT & SIP as a CCME gateway.. The SIP trunk is bound to the WAN interface. It will register if i take NAT off of the WAN Interface, but it breaks the internet.. The exact configuration was migrated from a 2921 with only interface name modifications.. Calling/SIP registration did work as expected with NAT disabled.
11-03-2017 08:41 AM
Right, well, in our scenario we are generally using the loopback for both nat and sip. This occurs on that (loopback) as well.
Easiest fix is just the upgrade. In 16.6 (Everest) specifically you can actually, manually, change the ports that are blocked if there were any showing up under that show command.
11-03-2017 08:47 AM
It is worth noting that using a NAT pool did not work when I tried. The only fix we could find (and keep NAT) was to upgrade to 16.x (per Cody) or use a interface without any NAT configured for it.
11-03-2017 05:18 PM
I tried the upgrade to 16.6.1 and experienced the same behavior, however, after removing NAT from the outside interface and reapplying the SIP trunk Registered and connected..
in 16.6.1 the bug is still present with NAT using the SIP ports:
gateway#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (config) rfcnt 2
545 - 617 (config) rfcnt 2
udp:
5062 - 6085 (config) rfcnt 2
512 - 584 (config) rfcnt 2.
When i went to the latest IOS 16.6.2 posted today, All worked after a reboot.. I'm not sure what else will be broken, but it has a post date of 11/03
The same output is observed on 16.6.2, but the SIP trunk came up on a reboot with no intervention.
gateway#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (config) rfcnt 2
545 - 617 (config) rfcnt 2
udp:
5062 - 6085 (config) rfcnt 2
512 - 584 (config) rfcnt 2
gateway#
08-09-2018 04:36 AM
Hi Guys
I can get SIP to register but not make calls via the WAN with NAT.
Works on the LAN fine. Suspect a NAT/RTP./SIP issue despite a successful SIP registration
Any thoughts?
ISR4331-KK#show ip nat portblock dynamic global detail
tcp:
5062 - 6085 (addr change)
545 - 617 (addr change)
udp:
5061 - 6084 (addr change)
512 - 584 (addr change)
ISR4331-KK#
03-21-2019 11:16 AM
16.6.5 fixed our issue. We were also running PfR, DMVPN, IWAN, Zone based firewall, SIP CUBE, SRST and A vmware firewall in a module.
11-20-2020 04:46 AM
i think they haven't fix it
BORDER-ISR4351#show ip nat portblock dynamic global detail tcp: 5062 - 6085 (config) rfcnt 3 545 - 617 (config) rfcnt 3 udp: 5062 - 6085 (config) rfcnt 3 512 - 584 (config) rfcnt 3 BORDER-ISR4351#sh ver Cisco IOS XE Software, Version 16.09.06 Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide