I have a issue related to SIP Traffic . I am using ASA 184.108.40.206 and the call manager is sitting Inside of ASA and there is one more call manager sitting outside of ASA .The user (from his IP Phone) dials to a remote phone and registers with inside CUCM , from where the packet hits ASA and goes to remote CUCM behind which the destination phone is located.
1) When a call is initiated from Inside IP Phone it will register itself to a SIP registrar server which is CUCM
(IP Phone and CUCM are located behind the ASA and CUCM exits ASA with NATTED IP)
2) Once it has registered , the CUCM (NATTED IP ) sends an INVITE request to the destination CUCM on UDP /5060 , traversing via ASA Firewall ; however packet captures show only SIP under the protocol column , ideally for INVITE packet it should show SIP/SDP (Please correct me if i am wrong)
3) The Remote server at the other end is replying with “ Status : 100 giving a try “ which means that some unspecified action is being taken on behalf of this call (e.g.,a database is being consulted),but the user has not yet been located.
4) After some time , the server replies again with “ Status : 408 Request Timeout” which means that server is not able to send a response for which the Inside Call manager sends a CANCEL Request
From the debug sip and Syslogs in ASA :
a) There is no deny message in the Syslog according to any access-list
b) debug sip shows below message (IP Addres id Inside CUCM)
SIP::Not updating database for Contact 10.3.1.1/5060, registry database total 0
a) Inspect SIP is allowed
b) Following NAT are there
nat (inside) 1 10.3.1.1 255.255.255.255 global (outside) 1 interface
The call flow is correct , i would like to know if there could be an issue between CUCM A and Phone A ?
If MTP is not checked on the SIP trunk on CUCM , do you mean to say that the CUCM behind the inside interface of ASA need to have this parameter checked ?The issue is that i am confused as to whether ASA is opening the hole with inspect sip command or not . Suppose if ASA is opening this hole , then can it be like that MTP is not checked thats why the (SIP+SDP) not going in Invite
Also i have one more question , is it like that the MTP needs to be checked on the SIP trunk on the Outside CUCM also ?
this could also means that CUCM B may not have MTP option checked / ticked when packet is going outside and hitting ASA and then CUCM A
Also there i only 1 firewall in between CUCM A and CUCM B .What i think is that when packet reaches CUCM A , it tries to call Phone A and is not getting response and after sometime , it sends reply back to ASA for CUCM B regarding time out . I am surely gng to attach captures today evening
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...