Solved: Re: Dropping VOIP Calls

ebrunet · ‎03-31-2022

Beginner here: We are dropping random calls and random phones will not register on the network. SIP ALG has been disabled. Jitter is fine. Yet issue still persist

hostname jz-corn

domain-name eerc.ca

enable password /vraMKkQ00WPzYqm encryptedVOIP

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.12.0 chest

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 72.1.213.52 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name eerc.ca

access-list inside_outbound_nat0_acl extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0

access-list outin extended permit tcp any host 72.1.213.51 eq smtp

access-list outin extended permit tcp any host 72.1.213.51 eq https

access-list outin extended permit tcp any host 72.1.213.51 eq www

access-list outin extended permit tcp any host 72.1.213.50 eq 8001

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool clientpool 192.168.11.35-192.168.11.38 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 72.1.213.51 192.168.11.8 netmask 255.255.255.255

static (inside,outside) 72.1.213.50 192.168.11.9 netmask 255.255.255.255

access-group outin in interface outside

route outside 0.0.0.0 0.0.0.0 72.1.213.49 1

route outside chest 255.255.255.0 72.1.213.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.11.0 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 70.52.118.240 24.235.52.46

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 70.52.118.240 type ipsec-l2l

tunnel-group 70.52.118.240 ipsec-attributes

pre-shared-key *

tunnel-group 24.235.52.46 type ipsec-l2l

tunnel-group 24.235.52.46 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect http

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c840f9784f641433f2b59855f603ab16

UdupiKrishna · ‎04-07-2022

While ACL should be permitting ICMP, you are inspecting ICMP within the global policy map thats why it may not work.

Given the fact that SIP is not inspected anymore, do you still see VOIP drops? Running a capture on the source machine, firewall ingress and egress interface during a VOIP call would be better idea

View solution in original post

UdupiKrishna · ‎03-31-2022

You mentioned that SIP ALG is disabled, but I see "inspect sip" under global policy map. I would start here by configuring "no inspect sip" then verify if there are any improvements.

ebrunet · ‎04-01-2022

Even after I ran this command:

policy-map global_policy
class inspection_default
no inspect sip

Here are the results

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http

UdupiKrishna · ‎04-01-2022

This is an interesting behaviour. Couldn't find any bugs that showcases this behaviour.

What's the software version running on this ASA? I am spitballing, but can you try removing inspection for any other service to see the outcome.

Or see if you can try something like "no fixup protocol sip". These were legacy PIX commands.

ebrunet · ‎04-01-2022

Software Version is 8.2

When I attempted the command again:

jz-corn# config terminal
jz-corn(config)# policy-map global_policy
jz-corn(config-pmap)# class inspection_default
jz-corn(config-pmap-c)# no inspect sip
ERROR: Inspection not installed or parameters do not match

UdupiKrishna · ‎04-04-2022

Run show service-policy and verify if SIP is still inspected.

I would recommend these steps, reboot and then run "no fixup protocol 5060"

ebrunet · ‎04-05-2022

It does not appear to be running anymore:

Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 1, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0

tried to ping the web address of the teleco company and getting a request timed out, yet I can access their site using a browser

Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: dns preset_dns_map, packet 1163652, drop 58, reset-drop 0
Inspect: http, packet 35480727, drop 0, reset-drop 0

UdupiKrishna · ‎04-07-2022

While ACL should be permitting ICMP, you are inspecting ICMP within the global policy map thats why it may not work.

Given the fact that SIP is not inspected anymore, do you still see VOIP drops? Running a capture on the source machine, firewall ingress and egress interface during a VOIP call would be better idea

ebrunet · ‎04-08-2022

Thank you. I really appreciate this community and the level of support. You have solved my issue.