07-23-2008 07:30 AM - edited 03-11-2019 06:18 AM
Hello,
I am having the following issue with a videoconference call. I have an ASA-5520 in transparent firewall mode in the middle of a LAN connections between two campus.
When I remove the firewall the videoconference works fine.
When the firewall is connected the call can not be completed.
The call originating station first contacts a gatekeeper in order to establish the call. I captured the traffic between this station and the gatekeeper using a sniffer and I found that the problem is that apparently there are segments lost in the communication. This problem appears in every SYN,ACK packet received from the gatekeeper, therefore the station responds with a RST of the connection.
ASA is running software 8.0(2).
Does anybody know if there is some way to fix this issue from configuration?
I am completely sure there is no problem with access-lists and I am not inspecting H323, H225, ras, etc...
Attached is a copy of the sniffer capture.
07-23-2008 08:48 AM
have you tried to enable inspection H323, H225, ras?
07-30-2008 03:42 PM
Yes, I tried enabling inspection, disabling tcp sequence randomization.
Still not working. Any ideas?
07-30-2008 06:17 PM
Try the 'invalid-ack' option, it drops by default:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238
Either enable it for this specific flow or for all traffic (to test).
Regards
Farrukh
08-13-2008 07:45 AM
after several traffic captures gathered, I have figured out that something in the inside network is messing with the ack number. Very weird problem since I have only the Vlan interface in the 4506, everything else is L2 Switched network to the videoconference station.
08-13-2008 10:43 AM
So have you managed to resolve this issue?
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide