Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4430
Views
0
Helpful
4
Replies

ASA blocks Traffic non-SIP over SIP port 5060 (TCP) ?

CSCO10235163
Level 1
Level 1

‎02-03-2010 01:44 AM - edited ‎03-11-2019 10:04 AM

Hi all,

we experience this issue in our network:

a test probe is running ftp requests to a server in order to measure performance between two point of the network.

The ftp uses port TCP:5060 that is a well known port for SIP. The easy conclusion that it is a non sense and that this ftp test should change its connection port is not enough for some people, it is mandatory to make this test work with this configuration. We are trying to understand where should this dirty connection be aborted, the first security device is ASA. ASA has SIP inspection enabled and, as I understood, it considers UDP/TCP:5060 by default (even if in most cases SIP runs over UDP).. is it possible that this inspection block FTP traffic over SIP port? We would maintain SIP inspection active while enabling this FTP traffic: I found the SIP inspection parameter 'traffic-non-sip', could it help with our issue?

An additional information is that ftp client generates SYN but it doesn't receive any SYN ACK: if something blocks, it blocks from the very beginning of the connection.

Thanks a lot

Labels:
0 Helpful
4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-07-2010 09:36 AM

SIP clients use both TCP or UDP (depending on the implementation), as stated here:

http://en.wikipedia.org/wiki/Session_Initiation_Protocol

Try disabling all SIP/VOIP related inspections and see if it helps.

Please rate if helpful.

Regards

Farrukh

0 Helpful

CSCO10235163
Level 1
Level 1
In response to Farrukh Haroon

‎02-10-2010 03:18 AM

Hi,

by disabling SIP inspection we make FTP connection on port 5060 work, but this is not what we desire: if we disabled SIP inspection, SIP connections wouldn't work anymore and we see such connections passing through our network.

Just to update what I wrote, by doing 'sh run all' I realized that non-sip traffic on sip port is enabled by default by ASA:

policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
  im
  no ip-address-privacy
  traffic-non-sip
  no rtp-conformance

but it seems not to be enough.

Thanks

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to CSCO10235163

‎02-10-2010 04:12 AM

That command should do it (its enabled by default). I suspect you are hitting a bug.

I would recommend to open a TAC Case for this (if chaning the FTP port is not an option). There have been numerous bugs on ASA OS related to SIP inspection.


Regards

Farrukh

0 Helpful

lusandi
Level 1
Level 1

‎07-14-2011 09:09 AM

Did the problem got fixed?

Regards,

Luis Sandi

.:|:.:|:.

P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card