Hi everyone,
we've got a problem regarding the SIP Inspection Protocol Helper on the FWSM (Firmware 4.0(10)).
When initiating phone calls via VoIP(SIP), users reported a delay of about 2 secs before hearing the dial tone.
Looking at the firewall logfile at that time reveals Deny-Messages for the RTP-Data between our VoIP-Server
and the VoIP-Provider's gateway. They last exactly the same time (about 2 secs), the users told us:
09:18:12: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0, 0x0]
09:18:12: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0, 0x0]
(...)
09:18:15: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0, 0x0]
09:18:15: Deny udp src vlan123:<IP-VoIP-Provider-Gateway>/1234 dst vlan456:<IP-Our-VoIP-Server>/56789 by access-group "abc" [0x0, 0x0]
After that 2 seconds, we can see no more Deny-Messages. When doing a packet-capture, we even see
normal traffic between the Server and the Gateway.
So it seems, that when using the SIP Inspection Engine on the FWSM, we always have a delay, before the
FWSM dynamically generates the ACEs needed for the RTP-Data.
My question to you is, have you ever seen that behaviour of your Firewall?
Does anyone know, if it's just the lame SIP Protocol Helper, that needs a few secs for creating ACEs?
Or is it a bug and should be treated by the TAC-guys?
Thanks in advance!
Regards,
Marco