After troubleshooting and looking through logs, I think I found it. SIP fixup appears to be working but the RTP ports specified in the SIP Invite are not being opened by the ACL.
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]
6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11679|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTCP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11679 to outside:<<VENDOR ADDRESS 2>> from INVITE message
6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11679|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTCP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11679 to outside:<<VENDOR ADDRESS 2>> from INVITE message
6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11678|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678 to outside:<<VENDOR ADDRESS 2>> from INVITE message
6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11678|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678 to outside:<<VENDOR ADDRESS 2>> from INVITE message
Here is what shows in the INVITE from <<USER ADDRESS 1>> to <<VENDOR ADDRESS 2>> telling <<VENDOR ADDRESS 2>> what to use for sending RTP
<SEE IMAGE 1>
The ASA should open port 11678
Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678
<<VENDOR ADDRESS 2>> responds back with a 180 Ringing w/SDP and tells <<USER ADDRESS 1>> where to send RTP to which is different from the signaling IP of <<VENDOR ADDRESS 2>>
<SEE IMAGE 2>
This is sent prior to RTP being sent that gets blocked by the ACL. I am not sure if it is opening port 11678 to ONLY <<VENDOR ADDRESS 2>> or what but it should accept traffic on that port from <<VENDOR ADDRESS 1>> and it is not. I don’t know why this is happening.
Thanks
Greg
