SIP traffic through ASA 5520 (Teardown UDP connection)

m.samouka · ‎11-23-2008

Dear All,

It will be great if someone can help me to understand the cause of the below problem:

I have a VPN tunnel between my ASA 5520 and another device.

The tunnel is up and there are no problems in that. I have a SIP device behind my ASA and anther one behind the other device (no specific details about the other side since it is with a client).

I have allowed the (ICMP & IP) traffic to pass through the tunnel, and I successfully can ping from my SIP the client's SIP through the tunnel.

When I try to make a SIP call over the tunnel it fails.

After troubleshooting I found the bellow results:

1- the traffic never go through the tunnel (the number of packets are not increased when I try to make a call although it in increased when I ping the other side)

2- When I made a test using the ASDM (Packet tracer) the result is successful (the traffic is NATed and allowed (passed the access list) and goes through the VPN tunnel).

3- the below result are the output of the logging of my ASA:

6|Nov 23 2008|11:00:24|305011|10.43.11.86|39421|62.Y.98.30|10932|Built dynamic UDP translation from Voice:10.43.11.86/39421 to outside(Voice_nat_outbound):62.Y.98.30/10932

6|Nov 23 2008|11:00:24|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 476764 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/10932)

6|Nov 23 2008|11:00:24|305011|10.43.11.86|5060|62.Y.98.30|43072|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/43072

6|Nov 23 2008|11:00:24|302016|63.x.0.102|5060|10.43.11.86|39421|Teardown UDP connection 476764 for outside:63.x.0.102/5060 to Voice:10.43.11.86/39421 duration 0:00:00 bytes 0

6|Nov 23 2008|11:00:24|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 476765 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/10932)

6|Nov 23 2008|11:00:24|302016|63.x.0.102|5060|10.43.11.86|39421|Teardown UDP connection 476765 for outside:63.x.0.102/5060 to Voice:10.43.11.86/39421 duration 0:00:00 bytes 0

6|Nov 23 2008|11:00:25|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 476766 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/10932)

6|Nov 23 2008|11:00:25|302016|63.x.0.102|5060|10.43.11.86|39421|Teardown UDP connection 476766 for outside:63.x.0.102/5060 to Voice:10.43.11.86/39421 duration 0:00:00 bytes 0

Where:

10.43.11.86 : My SIP private IP

62.Y.98.30: My SIP Public IP (NATed by my ASA)

63.x.0.102: Client's SIP Signaling IP.

I would really appreciate if some one can explain why the call is unsuccessful and the traffic is not passed through the tunnel and the meaning of the: Teardown UDP connection.

Thanks in advance for allâ€¦

mvsheik123 · ‎11-23-2008

It worked for me with H.323 but not sure about SIP... do you have 'inspect sip' in ASA configs..? Take it out and give a try.

hth

MS

m.samouka · ‎11-24-2008

Hi,

I think there is a bit progress in that; when i removed the "Inspect SIP" the traffic is successfully passed through the VPN tunnel (# of bytes increased in the tunnel) where this was a problem before this change. But the call is still not successful & the below output is received (Different from the first output in my first post):

6|Nov 24 2008|08:11:34|305011|10.43.11.86|5060|62.Y.98.30|31875|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/31875

6|Nov 24 2008|08:11:36|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 511462 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/22931)

6|Nov 24 2008|08:11:38|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511702 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0

6|Nov 24 2008|08:11:42|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511703 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0

6|Nov 24 2008|08:11:46|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511705 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0

6|Nov 24 2008|08:11:50|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511709 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0

The difference is that I send only one (Built outbound UDP connection) and then multiple (Teardown) while before it was one (Build) then one (Teardown).

I still don't get it!!...

mvsheik123 · ‎11-24-2008

Hi,

I undesrand you have no control over the client side device. But this needs to be worked from client end as well. Have them checkm their configs as well. But lets see if any oterh member shed some light onthe issue.

MS

m.samouka · ‎11-24-2008

hi all,

i have managed to overcome this problem, it seems that there is a problem in the Dynamic NATTing.

The problem now is that the SIP Signaling traffic is now completed but the RTP is not opened.

After troubleshooting i found that inside the SIP/SD packet the IP of the device (Avaya MedPro) that the RTP session will be created to is correct but instead of It's real IP it is it's Private IP.

As a result the other end will never be able able to establish RTP session with it.

is there any idea how i can overcome this problem??

lusandi · ‎07-14-2011

Can you post the 2 devices configuration please?

Regards,

Luis Sandi

.:|:.:|:.

P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.

alexdelangel · ‎10-31-2014

Hello friends,

Please, allow me to resurect this old post. I had a similar issue, with asymetric traffic, it seems that the ASA was dropping UDP DNS packets. I have removed the dns from inspection and now it is working, I would like to receive a brief explanation about what inspection affects when asymmetric traffic is happening.

Regards!