Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SIP, AnyConnect, and ASA Firewall

I am the ASA Firewall Administrator where I work, and recently our Telephony group has changed their outbound calling to use SIP. In that we also use AnyConnect VPN Phones none of these (as long as they use a Secure Profile – which encrypts the signaling and payload) cannot make outbound calls.

Well, let me re-phrase that, they can make an outbound call but they hear no audio. AnyConnect VPN Phones that are not using a secure profile work fine.

Obviously this is an issue with the Firewall per se, something I am not doing or something I am doing! Not sure. In that I am not a Telephony guy not sure what to look at! When we first put in SIP the engineer said I needed to add some routes for the SIP Cubes and a NAT rule, both of which were added. However, at the time our testing efforts were performed with a phone that was not using a secure profile.

I know there is a TLS Proxy feature in the ASA – would this solve my issue? I’m thinking yes, because it would allow the ASA to decrypt the traffic, but I want to make sure this is the solution.

If not, what do I need to do, allow, or configure in the ASA Firewall to allow encrypted calls outbound?

Thank you for any assistance any one can provide!

Everyone's tags (5)
5 REPLIES

Do you have SRTP inspection,

Do you have SRTP/SIP inspection, can you try turning that off?

Please rate useful posts.
New Member

Yes, SIP inspection is on.

Yes, SIP inspection is on. Did you mean "RTSP"? Here are the inspects that are configured:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect h323 h225 
  inspect h323 ras 

 

You could try removing

You could try removing inspect sip. Taking a step back, if you put a phone with the secure profile on your network and make sure traffic doesn't go through the firewall, do you get audio? By cannot make outbound calls, did you mean callfails?
Please rate useful posts.
New Member

Here are scenarios I have

Here are scenarios I have tested:

Internal Cisco 7965 IP Phone w/Secure or Non-Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

AnyConnect VPN Phone - Cisco 7965 IP Phone w/Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – Call Works – No Audio

 

AnyConnect VPN Phone - Cisco 7965 IP Phone w/Non-Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

AnyConnect Laptop – With Cisco Softphone – IP Communicator w/Secure Profile:

  1. IP Phone to IP Phone works fine (Calling internal or other AnyConnect phones) – No Issues
  2. IP Phone to External Number – Uses SIP – No Issues

 

The Only scenario that fails is when the call is initiated on an AnyConnect phone that has a secure profile. And the call signaling seems to go through because the phone rings, but when the caller answers there is no audio in either direction.

New Member

OK, let me know if my

OK, let me know if my thinking is correct, but I think what is happening is that the SIP call is automatically negotiating down to unencrypted between the AnyConnect call and SIP.

Now based on that I am assuming that the firewall could be dropping the traffic because the AnyConnect phone is going out encrypted, but the return payload is coming back unencrypted.

What I have noticed is that signaling and payload work on the way out encrypted, it’s the return traffic that is unencrypted and based on that and knowing the firewall is stateful it must be dropping the traffic.

Our Network admin was able to verify that voice traffic was indeed coming back, but it was unencrypted because he could playback the G.711 audio and hear the voice call. Had it come back encrypted he would not have been able to hear the voice call.

534
Views
0
Helpful
5
Replies
CreatePlease to create content