Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SIP Fixup issue- ports being denied

After troubleshooting and looking through logs, I think I found it.  SIP fixup appears to be working but the RTP ports specified in the SIP Invite are not being opened by the ACL.

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

4|Mar 29 2012|13:33:45|106023|<<VENDOR ADDRESS 1>>|8290|<<USER ADDRESS 1>>|11678|Deny udp src outside:<<VENDOR ADDRESS 1>>/8290 dst <<VOICE SW>>:<<USER ADDRESS 1>>/11678 by access-group "outside_access_in" [0x0, 0x0]

6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11679|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTCP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11679 to outside:<<VENDOR ADDRESS 2>> from INVITE message

6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11679|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTCP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11679 to outside:<<VENDOR ADDRESS 2>> from INVITE message

6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11678|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678 to outside:<<VENDOR ADDRESS 2>> from INVITE message

6|Mar 29 2012|13:33:45|607001|<<USER ADDRESS 1>>|11678|<<VENDOR ADDRESS 2>>||Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678 to outside:<<VENDOR ADDRESS 2>> from INVITE message

Here is what shows in the INVITE from <<USER ADDRESS 1>> to <<VENDOR ADDRESS 2>> telling <<VENDOR ADDRESS 2>> what to use for sending RTP

<SEE IMAGE 1>

The ASA should open port 11678

Pre-allocate SIP RTP secondary channel for <<VOICE SW>>:<<USER ADDRESS 1>>/11678

<<VENDOR ADDRESS 2>> responds back with a 180 Ringing w/SDP and tells <<USER ADDRESS 1>> where to send RTP to which is different from the signaling IP of <<VENDOR ADDRESS 2>>

<SEE IMAGE 2>

This is sent prior to RTP being sent that gets blocked by the ACL.  I am not sure if it is opening port 11678 to ONLY <<VENDOR ADDRESS 2>> or what but it should accept traffic on that port from <<VENDOR ADDRESS 1>> and it is not.  I don’t know why this is happening.

Thanks

Greg

Everyone's tags (3)
2144
Views
0
Helpful
0
Replies
CreatePlease login to create content