TCP Acked lost segment - VideoConference Setup through ASA-5520

javiercastro · ‎07-23-2008

Hello,

I am having the following issue with a videoconference call. I have an ASA-5520 in transparent firewall mode in the middle of a LAN connections between two campus.

When I remove the firewall the videoconference works fine.

When the firewall is connected the call can not be completed.

The call originating station first contacts a gatekeeper in order to establish the call. I captured the traffic between this station and the gatekeeper using a sniffer and I found that the problem is that apparently there are segments lost in the communication. This problem appears in every SYN,ACK packet received from the gatekeeper, therefore the station responds with a RST of the connection.

ASA is running software 8.0(2).

Does anybody know if there is some way to fix this issue from configuration?

I am completely sure there is no problem with access-lists and I am not inspecting H323, H225, ras, etc...

Attached is a copy of the sniffer capture.

a.alekseev · ‎07-23-2008

have you tried to enable inspection H323, H225, ras?

javiercastro · ‎07-30-2008

Yes, I tried enabling inspection, disabling tcp sequence randomization.

Still not working. Any ideas?

Farrukh Haroon · ‎07-30-2008

Try the 'invalid-ack' option, it drops by default:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1066238

Either enable it for this specific flow or for all traffic (to test).

Regards

Farrukh

javiercastro · ‎08-13-2008

after several traffic captures gathered, I have figured out that something in the inside network is messing with the ack number. Very weird problem since I have only the Vlan interface in the 4506, everything else is L2 Switched network to the videoconference station.

Farrukh Haroon · ‎08-13-2008

So have you managed to resolve this issue?

Regards

Farrukh