Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 SIP Inspection fails to NAT OK to Reinvite

I am looking for some help.  I have a problem with a configuration in my lab.  I am using a Cisco ASA 5505 with 9.1.4-k8.  I am trying to route a SIP call into a device in my lab.  What happens is that the Invite from the provider is received, the OK is sent back and the ACK received for the OK and the SIP Inspect seems to be working on the ASA to Dynamic NAT the media ports.

The problem is that when the inside user shuffles or modifies the SDP with a re-invite, the ACK to the 200 from this reinvite seems to be a problem.

  1. Invite sent to the provider
  2. Provider responds with trying then 200OK but the 200OK is NOT NAT'd for the VIA address.

The VIA contains the IP of the external interface of the ASA and not the Internal NAT’d address.

I found this article that seems close, but the bug was supposedly already fixed and the bug description speaks to the INVITE and not the ACK to the OK.

https://supportforums.cisco.com/thread/2116906

If you have any ideas I would be grateful.  If I need to provide captures, I can do that too.

3 REPLIES
Cisco Employee

ASA 5505 SIP Inspection fails to NAT OK to Reinvite

Hi Shane,

Would you be able to provide the Captures from the ASA device for the INgress and Egress interface for simultaneous traffic ?

Also , Please provide the complete IP information as well.

Thanks and Regards,

Vibhor

New Member

ASA 5505 SIP Inspection fails to NAT OK to Reinvite

I have a Debug at this point, if it would help

I am concerned publishing internal IP addresses as well as external   addresses, although it may be unfounded.  I will send if you think it is   best.  I can send to you the SIP DEBUG.  I also have an unlisted   youtube video that might help explain that I have attached for your  benefit.  I will also post the debug to the discussion.

http://www.youtube.com/watch?v=13cSwE5IDfs

The DEBUG:

192.168.1.20 = Conferencing SIP Server

192.168.1.23 = Conferncing Media Gateway

192.168.1.43 = SIP Server

1.1.1.1 = ASA External Interface

2.2.2.2 = Provider SIP Server

3.3.3.3 = Provider Media Gateway

2223334444 = Origination

3334445555 = Destination

SIP::INVITE received from inside250:192.168.1.43/5060 to outside:2.2.2.2/5060

SIP::regex engine has reached end of packet

SIP::Found CSeq 103 INVITE

SIP::Found URI in request line "sip:222333444@3.3.3.3:5080" (34)

SIP::Found valid SIP URI: sip:13334445555@sip.home.artieman.com

SIP::Found From addr "sip:13334445555@sip.home.artieman.com" (37)

SIP::Found From addr tag "78971e00-a0d3-11e3-9ba1-000c29701f56" (36)

SIP::Found valid SIP URI: sip:222333444@2.2.2.2

SIP::Found To addr "sip:222333444@2.2.2.2" (29)

SIP::Found To addr tag "as77c6960f" (10)

SIP::Found Via branch "z9hG4bK902002006943299-AP" (25)

SIP::Found Via addr "SIP/2.0/UDP 192.168.1.43;rport;branch=z9hG4bK902002006943299-AP;ft=192.168.1.43~13c4" (88)

SIP::Found Max-Forwards 66

SIP::Found Call-ID 275e8be8300411d272df422526f91d0d@3.3.3.3 (47)

SIP::Found valid SIP URI: sip:8000@192.168.1.23:5060

SIP::Found Contact sip:8000@192.168.1.23:5060

SIP::Found Content-type application/sdp

SIP::Found Content-length 387

Found port 5080

SIP::Found User-Agent

Via Port 5060

Found port 15060

Via Port 15060

Via Port 5060

Found port 5060

Via Port 5060

Found port 5060

SIP::Not updating database for Contact 192.168.1.23/5060, registry database total 0

SIP::Found Call-Info

Found port 443

Found more URIs in the call_info field.

Found port 5060

Found more URIs in the call_info field.

SIP: Media port 14002

SIP::session level connection addr 192.168.1.20, media port 14002

SIP::media level connection addr 192.168.1.20, media port 14002

SIP::Embedded media port 14002 found in SDP with session IP 192.168.1.20

SIP::Audio port 14002 found in SDP

SIP::Non-session level connection addr 192.168.1.20, media port 14002

SIP::State Machine: New Request '103 INVITE' received on existing transaction, Deleting existing transaction

Deleted SIP Transaction

Call-ID: 275e8be8300411d272df422526f91d0d@3.3.3.3 (47)

CSeq: 103 INVITE

Branch: z9hG4bK902002006943299-AP

Created SIP Transaction for inside250:192.168.1.43/5060 to outside:2.2.2.2/5060

Call-ID: 275e8be8300411d272df422526f91d0d@3.3.3.3 (47)

CSeq: 103 INVITE

Branch: z9hG4bK902002006943299-AP

SIP::Adding early RTP conn 3.3.3.3/* to 192.168.1.20/14002

SIP:: Forward 2730 bytes, total 2730

SIP::200 received from outside:2.2.2.2/5060 to inside250:192.168.1.43/5060

Via Port 0

Found port 15060

Via Port 15060

Via Port 0

Found port 19142

Via Port 19142

SIP::Found Server

Found port 5080

SIP: Media port 14228

SIP::session level connection addr 3.3.3.3, media port 14228

SIP::media level connection addr 3.3.3.3, media port 14228

SIP::Embedded media port 14228 found in SDP with session IP 3.3.3.3

SIP::Audio port 14228 found in SDP

SIP::regex engine has reached end of packet

SIP::Found CSeq 103 INVITE

SIP::Found valid SIP URI: sip:13334445555@sip.home.artieman.com

SIP::Found From addr "sip:13334445555@sip.home.artieman.com" (37)

SIP::Found From addr tag "78971e00-a0d3-11e3-9ba1-000c29701f56" (36)

SIP::Found valid SIP URI: sip:222333444@2.2.2.2

SIP::Found To addr "sip:222333444@2.2.2.2" (29)

SIP::Found To addr tag "as77c6960f" (10)

SIP::Found Via branch "z9hG4bK902002006943299-AP" (25)

SIP::Found Via addr "SIP/2.0/UDP 1.1.1.1;rport=5060;branch=z9hG4bK902002006943299-AP;ft=192.168.1.43~13c4" (92)

SIP::Found Call-ID 275e8be8300411d272df422526f91d0d@3.3.3.3 (47)

SIP::Found valid SIP URI: sip:222333444@3.3.3.3:5080

SIP::Found Contact sip:222333444@3.3.3.3:5080

SIP::Found Content-type application/sdp

SIP::Found Content-length 327

SIP::RTP/RTCP conn not allocated for 3.3.3.3/14228 to 3.3.3.3

SIP::RTP/RTCP conn not allocated for 3.3.3.3/14228 to 3.3.3.3

SIP:: Unable to open a pinhole for ACK messageSIP:: Forward 1232 bytes, total 1232

SIP:found content length 43, ctx->dlen 112

Cisco Employee

ASA 5505 SIP Inspection fails to NAT OK to Reinvite

Hi Shane,

Would you be able to send me the Captures for the time when the issue is seen on both interfaces of the ASA device ?

You can also email it:- vamrodia@cisco.com

Thanks and Regards,

Vibhor

553
Views
0
Helpful
3
Replies
CreatePlease to create content