Solved: Firepower 1010 and VoIP

dbronco · ‎07-10-2023

Hello,

I'm having an issue with VoIP phones dropping connection over a Firepower 1010 connection using FTD. This is something I've inherited and some of the settings / configuration are based off what has been done 100+ times by folks who are no longer with our group. However, this is the first revised setup with new equipment.

Equipment: Firepower 1010 running FTD 7.0.1-84 and the VoIP phones are Aiphone IX-MV7

Configuration: Room A subnet of 10.10.1.1 and Room B subnet of 10.10.2.1 connected via fiber and media converters. Ports 2-8 are in a BVI. VPN is setup with basic AES-256 encryption.

Issue: On startup, if you make a call from Room A to B, the call will be successful. If you then wait 5 minutes and try to call again, the call fails. If you then try and call from Room B back to Room A, the call will go through. Wait another 5 minutes and try that call again from B > A and the call won't go through.

I know the connection itself doesn't drop because I have other devices connected as well as laptops running a messenger service that doesn't lose connection.

I've also tested the older model of Aiphone we used to use (EOL) and the issue doesn't reoccur

I've tested the new model of Aiphone on our older 5506 ASAs and they also don't lose connection.

With the two new Aiphones on the same dumb Netgear switch, and IPs changed to the same subnet, they don't lose connection.

If I ping Room B from Room A, I can make a call regardless of time limit. If I wait til after the 5 minutes and try to ping Room B again, I'll get 'destination host unreachable' until I call from Room B. This test replicates the same from the other side as well.

In Event Viewer on the web interface, I can't see any denied connections. Nor can I see any denied connections in any of the other dashboard screens.

I'm stuck at this point, has anyone seen anything like this before?

Thanks in advance

dbronco · ‎07-14-2023

The fix was upgrading to version 7.2. I didn't see anything in the release notes that would have impacted this, but we've confirmed it fixed the problem.

View solution in original post

Aref Alsouqi · ‎07-10-2023

I would try to disable SIP inspection if that is enabled and see if that makes any difference. You can do that via FlexConfig:

policy-map global_policy
class inspection_default
no inspect sip

dbronco · ‎07-11-2023

I did find an article about that but it didn't help.

tvotna · ‎07-11-2023

If I ping Room B from Room A, I can make a call regardless of time limit. If I wait til after the 5 minutes and try to ping Room B again, I'll get 'destination host unreachable' until I call from Room B. This test replicates the same from the other side as well.

5 minutes is MAC aging interval. Could you post interface configuration including physical and bvi interfaces and

show switch mac-address-table
show arp

when everything works and when it stops working (explaining each MAC and ARP entry in the output)?

dbronco · ‎07-12-2023

That's interesting, I didn't know that. Thank you.

I ran the requested commands and got the following

> show switch mac-address-table
Legend: Age - entry expiration time in seconds

   Mac Address  | VLAN |            Type          | Age | Port
-------------------------------------------------------------

I couldn't find a reason why there are no mac addresses in here. And its the same in Room A and B both

For the ARP table:

Room A
> show arp
        outside 10.54.88.1 5856.9fb9.c548 748
        inside_outside 10.10.1.204 000b.aa30.8ee6 17
        inside_outside 10.10.1.20 ac91.a1f2.aa3e 118

Room B
> show arp
        outside 10.54.88.2 5856.9fd9.9748 736
        inside_group 10.10.2.203 000b.aa2f.b116 5
        inside_group 10.10.2.20 ac91.a1f2.9dda 235

1.204 is the VoIP phone in Room A

1.20 is the laptop in Room A

1.210 and .211 are cameras

2.203 is the phone in Room B

2.20 is the laptop in Room B

tvotna · ‎07-14-2023

It's hard to say anything without interface config. Use of bvi may imply transparent mode or routed firewall mode with Integrated Routing and Bridging (IRB) configured. Which mode do you use?

Do you see MAC table populated on 6.6?

dbronco · ‎07-12-2023

Additionally, another guy on our team was doing some testing and found a pair of Firepowers on an older version of software today - 6.6.1 vs 7.0.1 - While testing that set, we can't get the 5 minute timeout to occur.

Doing a comparison, I see that these lines are not in the 7.0.1 version

object network OutsideIPv4Gateway
 host 10.54.88.1
object network OutsideIPv4DefaultRoute
 subnet 0.0.0.0 0.0.0.0

As well as in the 6.6.1 version, I see

no monitor-interface service-module

But in the 7.0.1 it is

no monitor-interface inside_2
no monitor-interface inside_3
no monitor-interface inside_4
no monitor-interface inside_5
no monitor-interface inside_6
no monitor-interface inside_7
no monitor-interface inside_8
no monitor-interface inside-group
no monitor-interface service-module

Are there any other major differences between 6.6.1 and 7.0.1 that might be causing this occur?

Thank you

dbronco · ‎07-14-2023

The fix was upgrading to version 7.2. I didn't see anything in the release notes that would have impacted this, but we've confirmed it fixed the problem.