Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASR zone based firewall TFTP SKINNY issues

We have deployed an ASR with zbf and are having issue with softphones registering.  We have created a class map that matches (any) both protocols tftp and skinny, but we get upd SIS_PREGEN on some of the phones that attempt to register.  We have tested with 2 remote phones which are both on the same layer 3 address space.  One phone will register without issue, the other won't register and never gets the tftp data.

Working example

ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include WORKING IP
         Session 27B6878 (WORKING IP:60196)=>( tftp SIS_OPEN
         Session 27B68C4 (WORKING IP:53104)=>( skinny SIS_OPEN
         Session 27B6910 (>(WORKING IP:60196) udp SIS_OPEN
         Session 27B6878 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B68C4 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6910 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B695C (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B69A8 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B69F4 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6A40 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6A8C (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6AD8 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6B24 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6B70 (>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6BBC (>(WORKING IP:60196) udp SIS_OPENING


Not working:

ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include Not Working IP
         Session 27B6878 (Not Working IP:64303)=>( tftp SIS_OPENING
         Session 27B6878 (>(Not Working IP:64303) udp SIS_PREGEN


Again the 2 softphones are on the same layer 3 network and routing appears to be good, the not working can ssh to the cme without issues.


class-map type inspect match-any permit_csi_tftp_to_bank
 match protocol tftp
 match protocol skinny

policy-map type inspect bank0267_outside
 <output omitted>

 class type inspect permit_csi_tftp_to_bank


Please advise,






Hello Joe, Is that Policy-Map

Hello Joe,


Is that Policy-Map only containing that information?


I just wanna make sure that the phone that is not able to register actually hits that Class-Map that states the traffic should be encrypted.


Have you enabled the ip inspect log drop-pkt feature ?





For inmediate support

Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura