SIP over VPN not working

Unanswered Question
Jul 10th, 2012
User Badges:

Hi,


we have an ASA running 8.2.2 (adsm 6.2.5). VPN connections are working well.

But it's not possible to use a SIP client (phone or software) through an SSL tunnel.


So today I've tried to look in detail on this problem. I installed an ubuntu system,

openconnect and ekiga as softphone. In our network everything is working without

any error. I used an external DSL connection to test everything over the VPN tunnel.

I can ping the SIP server and I can access the https frontend of the the SIP Server.

The client "seem's" to connect as well. I can call the ekiga client, it's ringing and

i can speak and hear everything (most times).

Dialing from the ekiga client ALWAYS fails.


On the ASA there is no policy allowing or denying those connections.


a) How can I trace it on the ASA ?

b) Has anybody seen this behavior ? (only one way communication)


Thanks and bye, Peer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manish arora Tue, 07/10/2012 - 10:56
User Badges:
  • Silver, 250 points or more

Hello Peer,

you can the capture packet function on the ASA to see & capture traffic coming into the asa and leaving asa.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml


you can also use the packet-tracer feature to mock a connection and see if its passing the Firewall as expected.


https://supportforums.cisco.com/docs/DOC-5796


This will provide you with extra insight on how the firewall is treating the traffic ones its received on the internal or external interfaces.

Thank you


Manish

Dinkar Sharma Tue, 07/10/2012 - 15:42
User Badges:
  • Cisco Employee,

Hi,


In general you do not require Sip inspection enabled on traffic flowing via VPN, as we do not require dynamic pinhole to be opened and not nat is required at layer-7. I would suggest disable SIP inspection for this specific host and then try connecting.


So go ahead and disable inspection for traffic coming via VPN tunnel.

access-list test extended deny ip 172.16.10.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list test extended deny ip 172.17.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list test extended permit ip any any

(make sure you have permit ip any any) at last to allow rest of the traffic for inspection.

class-map inspection_default
match access-list test

Regards,

Dinkar

Actions

This Discussion