SIP issue with PIX 6.2(2)

limtohsoon · ‎04-21-2008

Hi Sir,

I have a PIX-525 running version 6.2(2). Recently end-user reported their SIP calls across this PIX fail to work.

I get the users test their applications while I turned on "debug sip". I couldn't see any SIP-related messages except the following:

2008-04-22 12:42:05 Local4.Info 10.254.1.20 Apr 22 2008 12:42:03: %PIX-6-106015: Deny TCP (no connection) from 10.254.2.106/50543 to 10.142.65.101/5060 flags PSH ACK on interface outside

The following fixup commands are already in place by default:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol sip 5060

I have checked the conduit, static, route, and timeout statements. All seem okay.

Below is Release Notes of PIX 6.2(2):

http://www.cisco.com/en/US/docs/security/pix/pix62/release/notes/pixrn622.html#wp88636

I notice SIP-related bugs in the Open and Resolved Caveats. I'm not sure if I'm hitting any of those bugs because I'm not getting any SIP messages from "debug sip".

Please advise.

Thank you.

B.Rgds,

Lim TS

husycisco · ‎04-22-2008

Hi Toh

I assume the error you encounter usually happens in two conditions.

1) Most probably your NAT statement for traffic 10.254.2.0 to 10.142.65.0 does not exist.

2) Source and destination are on different interfaces which has the same security level and "same-security-traffic permit inter-interface" is not enabled

Regards

dongdongliu · ‎04-22-2008

hi,

but version 6.2(2) do not support same-security-traffic permit inter-interface.

regards