I have an ISA550W Small Business Security Appliance.
It is currently configured to act as a SIP ALG for a UC540 that is behind it.
Port forwarding rules send SIP and RTP traffic to the UC540, whose WAN interface is set up as 192.168.1.4.
My SIP trunk provider does not activate trunks based on registration, but instead by sending a SIP OPTIONS ping to ensure that my switch is responding.
Up until a week ago, inbound SIP / RTP traffic from my provider was sent through to the UC540 without incident.
Last weekend, seemingly at random, the UC540 stopped receiving inbound SIP from my provider. The ISA550W does not appear to be forwarding traffic to it despite correct ACL and port forwarding rules.
Doing a packet capture on the ISA550W WAN interface, I can see that my SIP trunk provider is sending OPTIONS requests as expected; they just aren't being sent through.
If I attempt to pass SIP traffic through to the UC540 from another outside IP, namely by generating fake UDP packets destined to port 5060 (SIP), they show up on the UC540. These packets are not properly-formatted SIP requests, just me sending "test test" as a UDP dump to see if the traffic gets through. If I do a "terminal montor" and then a "debug ccsip messages" I can see that the UC540 is receiving these.
To me, this demonstrates two propositions: one, that the port forwarding and ACL rules are correct; and two, that the ISA550W is silently filtering SIP traffic for some reason. I proved this out by connecting a laptop to the switch port occupied by the UC540, assigning it the UC540's IP address, and using Wireshark to watch the traffic that was being forwarded to it. I could see SIP traffic forwarded in from my outside address; I cannot see any SIP traffic forwarded from my SIP trunk provider.
Nothing appears in the logs, despite explicitly configuring the ACL rules to log all packets coming from the SIP provider's IPs.
Having banged my head against this inexplicable behaviour for several hours last week, I finally gave up, flashed the ISA550W back to its default config, and configured everything from the ground up again.
The ISA550W passed SIP traffic through to the UC540 correctly up until this morning, when, with no configuration changes made, it stopped again and reverted to silently dropping SIP from my provider.
Topic bump, as the behaviour has begun occurring again.
My ISA550w has once again begun silently filtering inbound SIP UDP OPTIONS messages, which are used by my trunk provider to verify that my VOIP switch is alive and responding.
As stated above, ACL rules explicitly permit the forwarding of this traffic to my VOIP switch, which resides behind the firewall.
From time to time, and apparently for no reason at all, the firewall begins silently dropping this traffic. No hits are recorded in the firewall logs despite the fact that logging of this traffic is turned on.
Previously, disabling all security services appeared to deal with this. In addition, all "attack protection" options have been turned off.
I can see that the UDP traffic from my SIP provider is hitting the firewall and getting dropped, as it pops up in packet captures run on the WAN1 interface. When the ISA550w is displaying this behaviour, the traffic is not forwarded to the VOIP switch.
The only "fix," such as it is, for this product is to reset the configuration to factory defaults and then restore the set config from XML backup.
In addition, occasionally the SSL VPN for our remote phones dies, producing timeouts on connect. The box again needs to be reset -- albeit without uploading the config -- to fix this.
Whatever it is, it's a bug, the type of which does not present itself on "real" IOS devices. Once those are configured properly, they stay configured properly.
If anyone can recommend a "real" IOS box with the same feature set as this piece of junk, I would appreciate it. I'd also happily buy a firewall product from any competitor so long as it presents a compatible SSL VPN server capable of being accessed by the SPA525G2 phone.
Reboot and Factory Default Reset on ISA500 Series Integrated Security Appliances
Reboot or restart of the network device is made when certain changes in the settings need reboot or if the device is frozen. The configuration...
WAN Quality of Service (QoS) Policy Profiles Settings on ISA500 Series Integrated Security Appliances
Wide Area Network (WAN) Quality of Service (QoS) policy profiles manage traffic through classed-based profiles. These pro...
Cisco QuickVPN Installation Tips for Windows Operating Systems
For a video showing installation tips on Quick VPN, visit http://youtu.be/hHu2z6A78N8
Cisco QuickVPN is a free software designed for remote access to a ne...