Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Problem

Hi Experts

im facing a problems on my ASA 5520 , some remote offices ip phones become reconfiguring from time to time randomly inspite of i can ping and telnet the remote router. and also from time to time some remote offices become unreachable ( not pingable ) inspite of the VPN tunnel up on both sides (ASA & Remote router ) , so i need your help if there's any effect for the INSPECTION COMMANDS ON ASA for these problems.

the inspections configuration is :

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

thanks for help in advanced

Reyad

3 REPLIES
Cisco Employee

Re: VPN Problem

Reyad,

Out of curiosity, how did you conclude the problem is on the ASA and with inspection commands?

What do you call a tunnel up, both IKE and IPsec are up and encaps/decaps increasing?

What protocol are you using for your IP phones? How are they connecting? Phone proxy? IPsec VPN?

It's clear that the problem is not yet well rounded up, I'd suggest to:

- gather logs on informational level

- spot any possible correlation between connectivty/reregistration events.

- attach show tech of the ASA.

Maybe the registration problem is related to SIP or skinny connection timeing out?

Marcin

New Member

Re: VPN Problem

Dear Marcin

thank you for your reply

i conclude the problem on the ASA inspection becouse i have another ASA , the configured inspections differ from this and we didn't face any problem related to IP phones reconfiguring.

the tunnel is UP and IKE and IPSEC up and yes the encap/decap increased.

Cisco Employee

Re: VPN Problem

Reyad,

And other questions? It's not clear to my how you connect your phones and what protocol they are using... not clear to me how often this happens for particular phone.

ciscoasa# sh run timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Maybe you could try to increase some of the values to see if that will help...

Are you positive you need skinny or SIP DPI there?

Marcin

311
Views
0
Helpful
3
Replies
CreatePlease login to create content