Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428
The MESSAGE/INFO requests can arrive at any time after a registration or a subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes, which timeout in accordance with the configured SIP timeout value. This value must be configured for at least five minutes longer than the subscription duration. The Contact Expires value defines the subscription duration and is typically 30 minutes.
Because the MESSAGE/INFO requests are typically sent through a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.
Note: The SIP also enables Voice over IP (VoIP) calls. The SIP works with the Secure Device Provisioning (SDP) for call signaling.
In order to resolve this issue, enable inspection for SIP on the security appliance with the inspect sip command.