Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
3
Replies

VPN Problem

Reyad Safi
Level 1
Level 1

‎10-23-2010 01:14 PM

Hi Experts

im facing a problems on my ASA 5520 , some remote offices ip phones become reconfiguring from time to time randomly inspite of i can ping and telnet the remote router. and also from time to time some remote offices become unreachable ( not pingable ) inspite of the VPN tunnel up on both sides (ASA & Remote router ) , so i need your help if there's any effect for the INSPECTION COMMANDS ON ASA for these problems.

the inspections configuration is :

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

thanks for help in advanced

Reyad

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-23-2010 03:12 PM

Reyad,

Out of curiosity, how did you conclude the problem is on the ASA and with inspection commands?

What do you call a tunnel up, both IKE and IPsec are up and encaps/decaps increasing?

What protocol are you using for your IP phones? How are they connecting? Phone proxy? IPsec VPN?

It's clear that the problem is not yet well rounded up, I'd suggest to:

- gather logs on informational level

- spot any possible correlation between connectivty/reregistration events.

- attach show tech of the ASA.

Maybe the registration problem is related to SIP or skinny connection timeing out?

Marcin

0 Helpful

Reyad Safi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-23-2010 11:37 PM

Dear Marcin

thank you for your reply

i conclude the problem on the ASA inspection becouse i have another ASA , the configured inspections differ from this and we didn't face any problem related to IP phones reconfiguring.

the tunnel is UP and IKE and IPSEC up and yes the encap/decap increased.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Reyad Safi

‎10-24-2010 01:45 AM

Reyad,

And other questions? It's not clear to my how you connect your phones and what protocol they are using... not clear to me how often this happens for particular phone.

ciscoasa# sh run timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Maybe you could try to increase some of the values to see if that will help...

Are you positive you need skinny or SIP DPI there?

Marcin

0 Helpful
Customers Also Viewed These Support Documents