03-31-2022 08:28 AM
Beginner here: We are dropping random calls and random phones will not register on the network. SIP ALG has been disabled. Jitter is fine. Yet issue still persist
hostname jz-corn
domain-name eerc.ca
enable password /vraMKkQ00WPzYqm encryptedVOIP
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.12.0 chest
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 72.1.213.52 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name eerc.ca
access-list inside_outbound_nat0_acl extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.11.0 255.255.255.0 chest 255.255.255.0
access-list outin extended permit tcp any host 72.1.213.51 eq smtp
access-list outin extended permit tcp any host 72.1.213.51 eq https
access-list outin extended permit tcp any host 72.1.213.51 eq www
access-list outin extended permit tcp any host 72.1.213.50 eq 8001
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool clientpool 192.168.11.35-192.168.11.38 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 72.1.213.51 192.168.11.8 netmask 255.255.255.255
static (inside,outside) 72.1.213.50 192.168.11.9 netmask 255.255.255.255
access-group outin in interface outside
route outside 0.0.0.0 0.0.0.0 72.1.213.49 1
route outside chest 255.255.255.0 72.1.213.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.11.0 255.255.255.255 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 70.52.118.240 24.235.52.46
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.52.118.240 type ipsec-l2l
tunnel-group 70.52.118.240 ipsec-attributes
pre-shared-key *
tunnel-group 24.235.52.46 type ipsec-l2l
tunnel-group 24.235.52.46 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c840f9784f641433f2b59855f603ab16
Solved! Go to Solution.
04-07-2022 05:15 PM
While ACL should be permitting ICMP, you are inspecting ICMP within the global policy map thats why it may not work.
Given the fact that SIP is not inspected anymore, do you still see VOIP drops? Running a capture on the source machine, firewall ingress and egress interface during a VOIP call would be better idea
03-31-2022 10:10 PM
You mentioned that SIP ALG is disabled, but I see "inspect sip" under global policy map. I would start here by configuring "no inspect sip" then verify if there are any improvements.
04-01-2022 05:22 AM
Even after I ran this command:
policy-map global_policy
class inspection_default
no inspect sip
Here are the results
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
04-01-2022 06:17 AM - edited 04-01-2022 06:23 AM
This is an interesting behaviour. Couldn't find any bugs that showcases this behaviour.
What's the software version running on this ASA? I am spitballing, but can you try removing inspection for any other service to see the outcome.
Or see if you can try something like "no fixup protocol sip". These were legacy PIX commands.
04-01-2022 06:29 AM
Software Version is 8.2
When I attempted the command again:
jz-corn# config terminal
jz-corn(config)# policy-map global_policy
jz-corn(config-pmap)# class inspection_default
jz-corn(config-pmap-c)# no inspect sip
ERROR: Inspection not installed or parameters do not match
04-04-2022 06:44 PM
Run show service-policy and verify if SIP is still inspected.
I would recommend these steps, reboot and then run "no fixup protocol 5060"
04-05-2022 07:44 AM
It does not appear to be running anymore:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 1, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
tried to ping the web address of the teleco company and getting a request timed out, yet I can access their site using a browser
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: dns preset_dns_map, packet 1163652, drop 58, reset-drop 0
Inspect: http, packet 35480727, drop 0, reset-drop 0
04-07-2022 05:15 PM
While ACL should be permitting ICMP, you are inspecting ICMP within the global policy map thats why it may not work.
Given the fact that SIP is not inspected anymore, do you still see VOIP drops? Running a capture on the source machine, firewall ingress and egress interface during a VOIP call would be better idea
04-08-2022 07:37 AM
Thank you. I really appreciate this community and the level of support. You have solved my issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide