Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Skinny inspection closes connection

I have a branch office set up were all traffic goes back to the core, iincluding internet acces.

It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.

I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.

I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.

My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?

It's turned on my 5 other branches.

How can I debug why the skinny inspection is closing the connection?

As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?

Everyone's tags (7)
Cisco Employee

Skinny inspection closes connection

Hi Martin,

If the ASA's security policy denies all traffic except TCP/2000, the inspection would be needed to allow the child connections through after the initial TCP/2000 control channel establishes. You would also need to have the inspection enabled if the ASA is performing any NAT on the Skinny traffic.

The best tools to debug the Skinny inspection are debugging (7) level syslogs, 'debug skinny' output, and simultaneous, bi-directional packet captures taken on both sides of the ASA. I would recommend opening a TAC case for additional assistance if the above output doesn't make the issue more clear.


CreatePlease to create content