[c-nsp] ASA 8.3

Antonio Soares amsoares at netcabo.pt
Thu Jul 15 20:00:46 EDT 2010


I was asked about packet tracer output and maybe this is relevant. Packet tracer tells me that the packet is allowed but it doesn't
show the output interface. The output interface is actually interface Ma0/0 that is used as a regular interface in this scenario. So
i have this:

Ma0/0 (inside, security-level 65) --- ASA --- G1/2 (outside, security-level 0)


Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: quinta-feira, 15 de Julho de 2010 17:28
To: 'Joerg Mayer'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 8.3

Now i'm confused. Don't know if this is a SIP or NAT issue:

When it works:

%ASA-7-711001: SIP::OPTIONS received from outside:x.x.x.x/5060 to inside:SIPSERVER/5060

When it doesn't work:

%ASA-7-711001: SIP::OPTIONS received from outside:y.y.y.y/5060 to outside:SIPSERVER/5060

x.x.x.x and y.y.y.y are different sources.

For some reason, we see that the SIPSERVER appears in the wrong interface. I don't see any explanation to this behavior. I've
checked and double-checked all the NAT entries and this doesn't make sense.

Any ideas ?


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: Antonio Soares [mailto:amsoares at netcabo.pt] 
Sent: quarta-feira, 14 de Julho de 2010 15:53
To: 'Joerg Mayer'; 'cisco-nsp at puck.nether.net'
Subject: RE: [c-nsp] ASA 8.3

I see 5 SIP bugs in that list but they don't seem to match this issue.

The link for those interested:

http://www.cisco.com/web/software/280775065/33079/ASA-831-Interim-Release-Notes.html


I forgot to mention but the SIP packets being dropped are UDP based. It's like a keepalive mechanism between SIP servers. The server
in the Outside sends "request:options" and the server in the inside is supposed to reply with "status: 200 OK". 


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
Sent: quarta-feira, 14 de Julho de 2010 13:15
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 8.3

On Wed, Jul 14, 2010 at 12:14:01AM +0100, Antonio Soares wrote:
> I have a customer running 8.3.1 that is facing a very strange issue. Some SIP packets are silenty dropped. This seems to be
random.
> The SIP packets are of type "request:options". The source and destination ports are the same: 5060. The outside interface has an
ACL
> permitting this traffic. We also have the default service-policy applied. Anyone has seen something like this ? Any ideas of how
to
> troubleshoot this ?

You way want to take a look at the release notes of the interim 8.3.1.6.
Some SIP bugs seem to have been fixed between 8.3.1 and 8.3.1.6.

Ciao
    Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list