07-24-2014 10:40 AM - edited 03-11-2019 09:32 PM
We have deployed an ASR with zbf and are having issue with softphones registering. We have created a class map that matches (any) both protocols tftp and skinny, but we get upd SIS_PREGEN on some of the phones that attempt to register. We have tested with 2 remote phones which are both on the same layer 3 address space. One phone will register without issue, the other won't register and never gets the tftp data.
Working example
ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include WORKING IP
Session 27B6878 (WORKING IP:60196)=>(10.43.233.1:69) tftp SIS_OPEN
Session 27B68C4 (WORKING IP:53104)=>(10.43.139.1:2000) skinny SIS_OPEN
Session 27B6910 (10.43.233.1:62025)=>(WORKING IP:60196) udp SIS_OPEN
Session 27B6878 (10.43.233.1:51173)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B68C4 (10.43.233.1:65431)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6910 (10.43.233.1:63142)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B695C (10.43.233.1:62964)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B69A8 (10.43.233.1:55205)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B69F4 (10.43.233.1:62335)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6A40 (10.43.233.1:51322)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6A8C (10.43.233.1:63560)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6AD8 (10.43.233.1:64109)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6B24 (10.43.233.1:63245)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6B70 (10.43.233.1:64970)=>(WORKING IP:60196) udp SIS_OPENING
Session 27B6BBC (10.43.233.1:59400)=>(WORKING IP:60196) udp SIS_OPENING
Not working:
ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include Not Working IP
Session 27B6878 (Not Working IP:64303)=>(10.43.139.1:69) tftp SIS_OPENING
Session 27B6878 (10.43.139.1:0)=>(Not Working IP:64303) udp SIS_PREGEN
Again the 2 softphones are on the same layer 3 network and routing appears to be good, the not working can ssh to the cme without issues.
class-map type inspect match-any permit_csi_tftp_to_bank
match protocol tftp
match protocol skinny
policy-map type inspect bank0267_outside
<output omitted>
class type inspect permit_csi_tftp_to_bank
inspect
Please advise,
Joe
07-30-2014 04:54 PM
Hello Joe,
Is that Policy-Map only containing that information?
I just wanna make sure that the phone that is not able to register actually hits that Class-Map that states the traffic should be encrypted.
Have you enabled the ip inspect log drop-pkt feature ?
Regards,
Jcarvaja
CCIE 42930, 2xCCNP, JNCIS-SEC
For inmediate support http://iNetworks.cr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide