We have a pair of ASA5520's and are running IPSEC L2L VPN tunnels to 851 routers that have Cisco 7940/7960 phones connected to them. Frequently the phones will lose registration with the CM's or reboot. Currently the fixup skinny protocol inspection is enabled for port 2000 on the ASA's.
Yes, I opened a TAC case about this last year, and the Engr and I found via packet captures that there was a bug that caused the skinny packet inspection to send packets out of order. Cisco implemented a bug fix in newer code. We have since upgraded to 7.2.3 and that solved our problem.
Interesting...so even with routing the traffic via the VPN the skinny packet inspection was an issue? I'm running 7.2.2 on the remote ASA and 12.4.11XJ on my CME router, so you might have hit the nail on the head.
I also realized last night that my IPSEC lifetime values were mismatched (defaults differ between ASA and router) and that one end was forcing a rekey every 60 min, so I adjusted them to match.
We'll see how it runs and use your fix as the next runner up. Big thanks for the reply.
Yes we had specific problems with VPN skinny traffic that terminated on the ASA hub firewall. I believe the fix for the skinny inspection bug was fixed after 7.2.2(8), but that was months ago. Also, your timer mismatches can be an issue as your tunnels may drop during rekeying, causing the phone to drop rtp streams and re-register.
I found with our problem that I was able to repeat the problem by having the remote phone setup a conference call. The moment the second call arrived to the phone, it reset and was a repeatable problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :