Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

SIP over VPN not working


we have an ASA running 8.2.2 (adsm 6.2.5). VPN connections are working well.

But it's not possible to use a SIP client (phone or software) through an SSL tunnel.

So today I've tried to look in detail on this problem. I installed an ubuntu system,

openconnect and ekiga as softphone. In our network everything is working without

any error. I used an external DSL connection to test everything over the VPN tunnel.

I can ping the SIP server and I can access the https frontend of the the SIP Server.

The client "seem's" to connect as well. I can call the ekiga client, it's ringing and

i can speak and hear everything (most times).

Dialing from the ekiga client ALWAYS fails.

On the ASA there is no policy allowing or denying those connections.

a) How can I trace it on the ASA ?

b) Has anybody seen this behavior ? (only one way communication)

Thanks and bye, Peer

Everyone's tags (4)

SIP over VPN not working

Hello Peer,

you can the capture packet function on the ASA to see & capture traffic coming into the asa and leaving asa.

you can also use the packet-tracer feature to mock a connection and see if its passing the Firewall as expected.

This will provide you with extra insight on how the firewall is treating the traffic ones its received on the internal or external interfaces.

Thank you


Cisco Employee

SIP over VPN not working


In general you do not require Sip inspection enabled on traffic flowing via VPN, as we do not require dynamic pinhole to be opened and not nat is required at layer-7. I would suggest disable SIP inspection for this specific host and then try connecting.

So go ahead and disable inspection for traffic coming via VPN tunnel.

access-list test extended deny ip
access-list test extended deny ip
access-list test extended permit ip any any

(make sure you have permit ip any any) at last to allow rest of the traffic for inspection.

class-map inspection_default
match access-list test


CreatePlease to create content