Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SIP Protocol Violation

We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:

-remote site connected to central site via a vpn tunnel

-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other

-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)

-SIP server is 192.168.14.10 at central site

-Grandstream phones are 172.20.14.0/24 at remote site

The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):

1)phone to server SIP traffic

a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)

b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class

c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes

2)server to phone SIP traffic:

a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)

b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class

c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes

For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.

I have posted this over in the security section of Netpro as well because I realize this is specifically an issue with how the ZBFW config sees the SIP traffic.

Any help would be greatly appreciated. Thanks for your time.

3 REPLIES
Hall of Fame Super Gold

Re: SIP Protocol Violation

The few times that's used ZBFW, I've seen nothing but trouble.

If you need to keep it, and cannot tell it to leave SIP alone, recommend make a GRE tunnel so FW cannot mess with it.

New Member

Re: SIP Protocol Violation

Thanks so much for your response. If at all possible, I would really like to get the AIC working for SIP traffic between our security zones. At the moment I am L4ing the traffic by matching sip and rtp protocols via pre-defined udp ports. This really opens up my firewall a little more than I would like and doesn't allow me to take advantage of some of the SIP enhancements with ZBFW.

Thanks a lot for your comment. I really appreciate your input.

Hall of Fame Super Gold

Re: SIP Protocol Violation

You're welcome, please remember to rate useful posts with the scrollbox below.

656
Views
2
Helpful
3
Replies