ASA blocks Traffic non-SIP over SIP port 5060 (TCP) ?
we experience this issue in our network:
a test probe is running ftp requests to a server in order to measure performance between two point of the network.
The ftp uses port TCP:5060 that is a well known port for SIP. The easy conclusion that it is a non sense and that this ftp test should change its connection port is not enough for some people, it is mandatory to make this test work with this configuration. We are trying to understand where should this dirty connection be aborted, the first security device is ASA. ASA has SIP inspection enabled and, as I understood, it considers UDP/TCP:5060 by default (even if in most cases SIP runs over UDP).. is it possible that this inspection block FTP traffic over SIP port? We would maintain SIP inspection active while enabling this FTP traffic: I found the SIP inspection parameter 'traffic-non-sip', could it help with our issue?
An additional information is that ftp client generates SYN but it doesn't receive any SYN ACK: if something blocks, it blocks from the very beginning of the connection.
Re: ASA blocks Traffic non-SIP over SIP port 5060 (TCP) ?
by disabling SIP inspection we make FTP connection on port 5060 work, but this is not what we desire: if we disabled SIP inspection, SIP connections wouldn't work anymore and we see such connections passing through our network.
Just to update what I wrote, by doing 'sh run all' I realized that non-sip traffic on sip port is enabled by default by ASA:
policy-map type inspect sip _default_sip_map description Default SIP policymap parameters im no ip-address-privacy traffic-non-sip no rtp-conformance
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...