SIP BYEs don't pass through with ASA 8.4 double-nat
I got the following situation:
CellPhone - PSTN - SIP Provider - Internet - Cisco ASA 5550 with 8.4 - Cisco 3845 CUBE - SIP Media Server IVR
SIP Provider initiates SIP control through ASA to 3845 to Media Server
Media Server inititates SIP media through ASA to SIP Provider
ASA5550 is setup with Double-Nat and SIP inspection. Double-NAT is necessary because we will have multiple ASA 5550 firewalls and need the return traffic to come back through the correct ASA.
Invites and Voice is working fine. The problem is with call disconnect.
1. When Double-NAT is disabled, and only inside>outside Nat is enabled, then there are no problems. If IVR on Media Server needs to disconnect the call, it sends SIP BYE to CUBE, CUBE sends SIP BYE to ASA, ASA sends SIP BYE to provider, and Cell Phone will see the call disconnect. No issues.
2. When Double-NAT is enabled, we have a problem. IVR on Media Server sends SIP BYE to CUBE, CUBE sends SIP BYE to ASA (I see it in debug ccsip messages), and ASA seems to lose this SIP BYE during inspection, because provider claims that never sip SIP BYE come from us. Consequently, cell phone never seens the call disconnect. If the user forgets to hang up we get charged for extra minutes.
ASA outside nat config:
object network obj-10.0.0.173
nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.