07-23-2008 07:30 AM - edited 03-11-2019 06:18 AM
Hello,
I am having the following issue with a videoconference call. I have an ASA-5520 in transparent firewall mode in the middle of a LAN connections between two campus.
When I remove the firewall the videoconference works fine.
When the firewall is connected the call can not be completed.
The call originating station first contacts a gatekeeper in order to establish the call. I captured the traffic between this station and the gatekeeper using a sniffer and I found that the problem is that apparently there are segments lost in the communication. This problem appears in every SYN,ACK packet received from the gatekeeper, therefore the station responds with a RST of the connection.
ASA is running software 8.0(2).
Does anybody know if there is some way to fix this issue from configuration?
I am completely sure there is no problem with access-lists and I am not inspecting H323, H225, ras, etc...
Attached is a copy of the sniffer capture.
07-23-2008 08:48 AM
have you tried to enable inspection H323, H225, ras?
07-30-2008 03:42 PM
Yes, I tried enabling inspection, disabling tcp sequence randomization.
Still not working. Any ideas?
07-30-2008 06:17 PM
Try the 'invalid-ack' option, it drops by default:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238
Either enable it for this specific flow or for all traffic (to test).
Regards
Farrukh
08-13-2008 07:45 AM
after several traffic captures gathered, I have figured out that something in the inside network is messing with the ack number. Very weird problem since I have only the Vlan interface in the 4506, everything else is L2 Switched network to the videoconference station.
08-13-2008 10:43 AM
So have you managed to resolve this issue?
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: