Strange problem with Polycom on 5510

Unanswered Question
Mar 19th, 2010
User Badges:

Here is a basic layout of hte network. There are 6 location on an MPLS network that reside behinnd an ASA 5510 for internet. The ASA is last resort for routing, all internal routing is handeled by a Core router in the MPLS infrastructure.  At each site is a Polycom Video phone. On the ASA are static 1:1 maps for each phone. If one site calls another via the mapped public IP, they work just fine, they are hairpinned on the ASA, everything is happy. When a call is place to an outside IP, this is where things go screwy.



The ASA has version 8.2(2) installed on it.


The one we were working with  is 192.168.2.15, mapped to public x.x.x.97.  A call was placed internally to 140.242.250.205, which is a polycom address. The ASA ACL has permit ip any to host, and icmp any to host, so basically nothing should be blocked. I can ping fine both ways, and see the correct translations, etc. However, when the call is initiated, I immediately get Deny TCP(no Connections) on port 5060 from both the public mapped IP and the destination IP, in both directions.


I ran a capture that included both public IP's and the private IP's in both directions. The capture came back with some interesting results. I see the packet inter the inside interface from the private IP, exit to the public IP, I see the return packet from the public IP hit the mapped public IP, but I do not see it being untranslated back to the private IP.


  4: 07:59:01.319548 140.242.250.205.5060 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>
   5: 07:59:04.290313 192.168.2.15.5060 > 140.242.250.205.5060: S 3833084348:3833084348(0) win 5840 <mss 1460,sackOK,timestamp 1803832 0,nop,wscale 5>
   6: 07:59:04.320234 140.242.250.205.5060 > x.x.x.97.5060: S 591883322:591883322(0) ack 3961120088 win 5840 <mss 1460,nop,nop,sackOK>


When I run a PING though


  25: 07:43:59.257982 192.168.2.15 > 140.242.250.205: icmp: echo request
  26: 07:43:59.289520 140.242.250.205 > x.x.x.97: icmp: echo reply
  27: 07:43:59.289718 140.242.250.205 > x.x.x.97: icmp: echo reply
  28: 07:43:59.289825 140.242.250.205 > x.x.x.97: icmp: echo reply
  29: 07:43:59.289978 140.242.250.205 > 192.168.2.15: icmp: echo reply



Thinking it might have something to do with Sip and H323 inspection I bypassed the inspect using an ACL and class map that denied the private and public mapped IP's from the inspection and allows all else. This is something we found we needed to do for secure FTP through the firewall. No joy though, same results.


It appears as if the incoming packet is not being untranslated back to the private IP, but I cant seem to find any reason why. From the capture I can see the external connections, but without the reponse back to the internal, the connections are bing dropped.One other thing I tried was increasing the DNS message length to 1500.



Any help on this would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Mon, 03/22/2010 - 09:04
User Badges:
  • Bronze, 100 points or more

Can you post the topology in order to understand better the scenario. And just to check can you also run a capture with the ASP option.


Capture test type asp all.

Actions

This Discussion