Cisco Support Community
Community Member

ISA550W Filtering SIP

Hello All --

This is driving me crazy.

I have an ISA550W Small Business Security Appliance.

It is currently configured to act as a SIP ALG for a UC540 that is behind it.

Port forwarding rules send SIP and RTP traffic to the UC540, whose WAN interface is set up as

My SIP trunk provider does not activate trunks based on registration, but instead by sending a SIP OPTIONS ping to ensure that my switch is responding.

Up until a week ago, inbound SIP / RTP traffic from my provider was sent through to the UC540 without incident.

Last weekend, seemingly at random, the UC540 stopped receiving inbound SIP from my provider.  The ISA550W does not appear to be forwarding traffic to it despite correct ACL and port forwarding rules.

Doing a packet capture on the ISA550W WAN interface, I can see that my SIP trunk provider is sending OPTIONS requests as expected; they just aren't being sent through.

If I attempt to pass SIP traffic through to the UC540 from another outside IP, namely by generating fake UDP packets destined to port 5060 (SIP), they show up on the UC540.  These packets are not properly-formatted SIP requests, just me sending "test test" as a UDP dump to see if the traffic gets through.  If I do a "terminal montor" and then a "debug ccsip messages" I can see that the UC540 is receiving these.

To me, this demonstrates two propositions: one, that the port forwarding and ACL rules are correct; and two, that the ISA550W is silently filtering SIP traffic for some reason.  I proved this out by connecting a laptop to the switch port occupied by the UC540, assigning it the UC540's IP address, and using Wireshark to watch the traffic that was being forwarded to it.  I could see SIP traffic forwarded in from my outside address; I cannot see any SIP traffic forwarded from my SIP trunk provider.

Nothing appears in the logs, despite explicitly configuring the ACL rules to log all packets coming from the SIP provider's IPs.

Having banged my head against this inexplicable behaviour for several hours last week, I finally gave up, flashed the ISA550W back to its default config, and configured everything from the ground up again.

The ISA550W passed SIP traffic through to the UC540 correctly up until this morning, when, with no configuration changes made, it stopped again and reverted to silently dropping SIP from my provider.

Any assistance would be appreciated.



Everyone's tags (1)

Re: ISA550W Filtering SIP

Have you tried turning off all the security services to see if one of them is interfering (AV, Web Filtering, IPS, etc.)?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Re: ISA550W Filtering SIP

Just followed your suggestion, which I thank you for.

I will see if turning off security services affects this issue.

If it does, that seems to be a defect in the product -- security scanning should be suspended for any traffic which is explicitly permitted by an ACL.



Re: ISA550W Filtering SIP

Agreed. We have seen some challenges, not explicitly related to SIP, with some of the services...namely IPS. If it works, I'd turn each service on one at a time to find out which one is breaking it.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Topic bump, as the behaviour

Topic bump, as the behaviour has begun occurring again.

My ISA550w has once again begun silently filtering inbound SIP UDP OPTIONS messages, which are used by my trunk provider to verify that my VOIP switch is alive and responding.

As stated above, ACL rules explicitly permit the forwarding of this traffic to my VOIP switch, which resides behind the firewall.

From time to time, and apparently for no reason at all, the firewall begins silently dropping this traffic.  No hits are recorded in the firewall logs despite the fact that logging of this traffic is turned on.

Previously, disabling all security services appeared to deal with this.  In addition, all "attack protection" options have been turned off.

I can see that the UDP traffic from my SIP provider is hitting the firewall and getting dropped, as it pops up in packet captures run on the WAN1 interface.  When the ISA550w is displaying this behaviour, the traffic is not forwarded to the VOIP switch.

The only "fix," such as it is, for this product is to reset the configuration to factory defaults and then restore the set config from XML backup.

In addition, occasionally the SSL VPN for our remote phones dies, producing timeouts on connect.  The box again needs to be reset -- albeit without uploading the config -- to fix this.

Whatever it is, it's a bug, the type of which does not present itself on "real" IOS devices.  Once those are configured properly, they stay configured properly.

If anyone can recommend a "real" IOS box with the same feature set as this piece of junk, I would appreciate it.  I'd also happily buy a firewall product from any competitor so long as it presents a compatible SSL VPN server capable of being accessed by the SPA525G2 phone.


CreatePlease to create content