Hi All!
I've got an ASA running 8.2(1) supporting 30-40 Avaya VPNremote phones. These phones emulate Cisco VPN client.
They connect without event, and can place/receive calls with no problem - most of the time.
Periodically they will reboot without apparant cause.
A capture on the ASA reveals that the ASA sends an ICMP TTL-exceeded to the phone in response to certain packets sent by the phone.
ie. phone is at 192.168.78.133, Avaya system is on the inside at 192.168.201.X. ASA Inside interface is 172.25.2.1.
See below - phone sends packet to Avaya on UDP/33435, then ASA decides to send a TTL-exceeded back to the phone (192.168.78.133).
I saw this problem prior to disabling inspect h323.
Any ideas? I do see that UDP/33435 is the default port that UNIX traceroute will send to.
Here's my inspect config:
policy-map global_policy
class inspection_default
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp error
inspect mgcp
inspect pptp
inspect ctiqbe
inspect snmp
inspect icmp
inspect ils
inspect dns
!
Here's the capture:
335: 10:18:40.032346 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325055 win 8140 <nop,nop,timestamp 118171 32938776>
336: 10:18:40.033628 192.168.201.15.1720 > 192.168.78.133.5749: P 4194325055:4194325381(326) ack 2907638830 win 8192 <nop,nop,timestamp 32938776 118171>
337: 10:18:40.151695 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325381 win 7870 <nop,nop,timestamp 118171 32938776>
338: 10:18:47.290497 192.168.78.133.3587 > 192.168.201.32.2497: udp 92
339: 10:18:50.070156 192.168.78.133.3587 > 192.168.201.32.2497: udp 92
340: 10:18:50.221042 192.168.78.133.56176 > 192.168.201.32.33435: udp 8
341: 10:18:50.221424 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
342: 10:18:50.337003 192.168.78.133.56176 > 192.168.201.32.33436: udp 8
343: 10:18:50.337171 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
344: 10:18:50.452475 192.168.78.133.56176 > 192.168.201.32.33437: udp 8
345: 10:18:50.452765 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
346: 10:18:50.568345 192.168.78.133.56176 > 192.168.201.32.33438: udp 8
347: 10:18:50.573243 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33438 unreachable
348: 10:18:50.688700 192.168.78.133.56176 > 192.168.201.32.33439: udp 8
349: 10:18:50.692362 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33439 unreachable
350: 10:18:50.807850 192.168.78.133.56176 > 192.168.201.32.33440: udp 8
351: 10:18:50.811267 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33440 unreachable
352: 10:18:56.959270 192.168.78.133.3587 > 192.168.201.32.2497: udp 92
353: 10:18:59.717827 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325381 win 8192
354: 10:18:59.718743 192.168.201.15.1720 > 192.168.78.133.5749: . ack 2907638830 win 8192 <nop,nop,timestamp 32938815 118171>
355: 10:19:03.768408 192.168.78.133.3587 > 192.168.201.32.2497: udp 92
356: 10:19:03.946377 192.168.201.15.1720 > 192.168.78.133.5749: P 4194325381:4194325438(57) ack 2907638830 win 8192 <nop,nop,timestamp 32938824 118171>