Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
1
Replies

Cisco ASR zone based firewall TFTP SKINNY issues

joeharb
Level 5
Level 5

‎07-24-2014 10:40 AM - edited ‎03-11-2019 09:32 PM

We have deployed an ASR with zbf and are having issue with softphones registering.  We have created a class map that matches (any) both protocols tftp and skinny, but we get upd SIS_PREGEN on some of the phones that attempt to register.  We have tested with 2 remote phones which are both on the same layer 3 address space.  One phone will register without issue, the other won't register and never gets the tftp data.

Working example

ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include WORKING IP
         Session 27B6878 (WORKING IP:60196)=>(10.43.233.1:69) tftp SIS_OPEN
         Session 27B68C4 (WORKING IP:53104)=>(10.43.139.1:2000) skinny SIS_OPEN
         Session 27B6910 (10.43.233.1:62025)=>(WORKING IP:60196) udp SIS_OPEN
         Session 27B6878 (10.43.233.1:51173)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B68C4 (10.43.233.1:65431)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6910 (10.43.233.1:63142)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B695C (10.43.233.1:62964)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B69A8 (10.43.233.1:55205)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B69F4 (10.43.233.1:62335)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6A40 (10.43.233.1:51322)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6A8C (10.43.233.1:63560)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6AD8 (10.43.233.1:64109)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6B24 (10.43.233.1:63245)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6B70 (10.43.233.1:64970)=>(WORKING IP:60196) udp SIS_OPENING
         Session 27B6BBC (10.43.233.1:59400)=>(WORKING IP:60196) udp SIS_OPENING

 

Not working:

ASR#show policy-map type inspect zone-pair bank0267_outside sessions | include Not Working IP
         Session 27B6878 (Not Working IP:64303)=>(10.43.139.1:69) tftp SIS_OPENING
         Session 27B6878 (10.43.139.1:0)=>(Not Working IP:64303) udp SIS_PREGEN

 

Again the 2 softphones are on the same layer 3 network and routing appears to be good, the not working can ssh to the cme without issues.

 

class-map type inspect match-any permit_csi_tftp_to_bank
 match protocol tftp
 match protocol skinny

policy-map type inspect bank0267_outside
 <output omitted>

 class type inspect permit_csi_tftp_to_bank
   inspect 

 

Please advise,

 

Joe

 

 

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-30-2014 04:54 PM

Hello Joe,

 

Is that Policy-Map only containing that information?

 

I just wanna make sure that the phone that is not able to register actually hits that Class-Map that states the traffic should be encrypted.

 

Have you enabled the ip inspect log drop-pkt feature ?

Regards,

 

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card