Problem ASA and Videoconference

Unanswered Question
Sep 15th, 2010

I'm needing some help related to one videoconference that i was setting up.

When i make the call for the videoconf the remote user says that he answer the call but for me keeps only ring , and when he make the call we can see everything but the remote user don't see me no sound nor video.

The only different thing that i got in the logs

Was one  Deny TCP (no connection) from xxx to xxx flags SYN ACK on interface xxx (i don't have the log for this one i know this is the error)


4 Sep 15 2010 11:18:57 313005     No matching connection for ICMP error message: icmp src INTERNET:201.31.X.X dst -DMZ01:189.43.X.X (type 3, code 3) on INTERNET interface.  Original IP payload: udp src 189.43.X.X/49152 dst 192.168.X.X/55844.

I have a static nat to  189.43.X.X

Do you guys have any ideia what might be causing it?

Thanks in Advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mvsheik123 Wed, 09/15/2010 - 09:55


Have you opened the necessary ports on the ASA for videoconference?  If you can post ASA config, someone will be able to help.



anunes1987 Wed, 09/15/2010 - 10:45

Thought about it but they are able to conect here and i can hear and

seeing video... ...

I found ond einformation on the net someone meybe can confirm if is really it

"(no connection) errors are generally caused when an IP device attempts to respond to a previously opened TCP/IP connection after the connection has 'timed out' in the firewall's stateful connection table.

This can happen for numerous reasons. The most common is that the connection timeout on the firewall is set to low. This can happen more specifically across slower LAN or WAN links or if a server is slow to respond to requests.

For example a client sends a SYN request to a server. The server takes to long to respond and the timeout set on the firewall closes the stateful connection because it has not detected at SYN-ACK response from the server within the timeout period set on the firewall. Therefore when the server finally sends the SYN-ACK packet, the firewall has already 'timed-out' the connection and so cannot match the packet sequence in its stateful connection table. As there is no match in the stateful table, the firewall reports the return packet as (no connection) and drops the traffic."

Marcin Latosiewicz Wed, 09/15/2010 - 11:32


The description is correct in general. It can happen when connection has timedout OR has otherwise been removed (RST for example).Note default TCP timeout is 1 HOUR.

Is the video conferencing relying on h323 for communication? I see inspection is on, that's already a good ;-)

What I would suggest - open up access-list for ALL traffic incomfing from that particular location on the ASA (the IP address you indicated as 201.31.X.X).

Please note that it will NOT affect any stateful aspects, just general pinholes not open scenario, BUT it will make a good test.



This Discussion