Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
1
Replies

SIP Inspection Required

Mark H
Level 1
Level 1

‎10-04-2011 07:16 PM

Hi everyone,

Do I need to enable SIP inspection as per this article?

We're trying a proof-of-concept install for the Cisco Mobile iPhone client and the Cisco Cius, since we do not have any corporate WiFi we're utilising the AnyConnect clients that are available on both via our ASA5510 appliances that are running 8.3(1). However, we are unable to make calls via the VPN and find that the call initially rings but the call isn't fully setup when answered (The calling side will just continue to ring).

I'm seeing TCP connections (See attached syslog messages) being denied for port 5060 on the basis that there is no existing connection as the previous TCP connection is torn down. Hoping I can get some confirmation here before giving it a go.

Thanks,

Mark

Labels:
114868-syslog.txt.zip
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-05-2011 07:18 AM

Mark,

Normally you do not need to have inspection over VPN:

1) Typically you do not have NAT over VPN (typically!)

2) All the traffic is allowed over VPN by default (there is a sysopt for VPN traffic to ignore ACLs)

Now if it really is a problem of inspection, it's hard to say.

Did you try skinny instead of SIP? (Just out of curiosity).

Marcin

0 Helpful
Customers Also Viewed These Support Documents