[c-nsp] ASA 8.3

Jim McBurnett jim at tgasolutions.com
Wed Aug 18 08:54:59 EDT 2010


Could and of these be the issue?
All are fixed in the 8.3.2 release now on CCO...

CSCso65967 
 SIP builds many secondary conns with register msg but no registrar 
CSCtb23281 
 ASA: SIP inspect not opening pinhole for contact header of SIP 183 msg 

CSCte47509 
 Inspect SIP: Segmented SIP message failed version check 
CSCte81368 
 Sip inspection fails to nat embedded media port 
CSCth32416 
 SIP HA stoppage update problem with large SIP sessions 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of P C
Sent: Tuesday, August 17, 2010 10:49 PM
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 8.3

You may want to ask TAC for the latest Interim or disable SIP inspection if
you don't need it and see if either helps.

It may not help you, but in 8.0.5.x Cisco started mucking around with SIP
inspection; perhaps to fix the security vulnerability.  At one place in our
network it broke some trunking traffic.  At another it coredumped the
firewall every few hours.

While this is 8.0.5.something, although the same code has a way of finding
it's way into other releases.

As usual an update fixed it.



On Thu, Jul 15, 2010 at 6:00 PM, Antonio Soares <amsoares at netcabo.pt> wrote:

> I was asked about packet tracer output and maybe this is relevant. Packet
> tracer tells me that the packet is allowed but it doesn't
> show the output interface. The output interface is actually interface Ma0/0
> that is used as a regular interface in this scenario. So
> i have this:
>
> Ma0/0 (inside, security-level 65) --- ASA --- G1/2 (outside, security-level
> 0)
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
> Sent: quinta-feira, 15 de Julho de 2010 17:28
> To: 'Joerg Mayer'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA 8.3
>
> Now i'm confused. Don't know if this is a SIP or NAT issue:
>
> When it works:
>
> %ASA-7-711001: SIP::OPTIONS received from outside:x.x.x.x/5060 to
> inside:SIPSERVER/5060
>
> When it doesn't work:
>
> %ASA-7-711001: SIP::OPTIONS received from outside:y.y.y.y/5060 to
> outside:SIPSERVER/5060
>
> x.x.x.x and y.y.y.y are different sources.
>
> For some reason, we see that the SIPSERVER appears in the wrong interface.
> I don't see any explanation to this behavior. I've
> checked and double-checked all the NAT entries and this doesn't make sense.
>
> Any ideas ?
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Antonio Soares [mailto:amsoares at netcabo.pt]
> Sent: quarta-feira, 14 de Julho de 2010 15:53
> To: 'Joerg Mayer'; 'cisco-nsp at puck.nether.net'
> Subject: RE: [c-nsp] ASA 8.3
>
> I see 5 SIP bugs in that list but they don't seem to match this issue.
>
> The link for those interested:
>
>
> http://www.cisco.com/web/software/280775065/33079/ASA-831-Interim-Release-Notes.html
>
>
> I forgot to mention but the SIP packets being dropped are UDP based. It's
> like a keepalive mechanism between SIP servers. The server
> in the Outside sends "request:options" and the server in the inside is
> supposed to reply with "status: 200 OK".
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
> Sent: quarta-feira, 14 de Julho de 2010 13:15
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA 8.3
>
> On Wed, Jul 14, 2010 at 12:14:01AM +0100, Antonio Soares wrote:
> > I have a customer running 8.3.1 that is facing a very strange issue. Some
> SIP packets are silenty dropped. This seems to be
> random.
> > The SIP packets are of type "request:options". The source and destination
> ports are the same: 5060. The outside interface has an
> ACL
> > permitting this traffic. We also have the default service-policy applied.
> Anyone has seen something like this ? Any ideas of how
> to
> > troubleshoot this ?
>
> You way want to take a look at the release notes of the interim 8.3.1.6.
> Some SIP bugs seem to have been fixed between 8.3.1 and 8.3.1.6.
>
> Ciao
>    Joerg
> --
> Joerg Mayer                                           <jmayer at loplof.de>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list