[c-nsp] Really strange SIP (I think issue) on an ASR 1001X

[Scott Granados]

Hi, this is a really strange problem for me and I’m hoping some others might have a clue because I’m a bit confused. It’s also long and involved so anyone busy or not interested stop here.

I have an IPVPN service from a carrier delivered presently over a pair of 2921 managed routers that carries voice traffic.  I want to increase it’s capacity so the carrier is working with me to migrate these circuits on to a pair of ASR 1001X routers I have at the edge.  Presently these managed devices connect to some firewalls that filter and route statically the traffic to SIP controllers.  Nothing to complicated.  The number of routes in the table is in the tens so very small.  BGP is used to distribute routs in to the table from the carrier and to announce my networks.  Not a lot of prefix filtering it seems since it’s a closed environment.  My firewalls attach to the ASR pair in question in another zone but changes are made to update the static routing and security rules.
	Using their managed routers I’m able to complete calls from the PSTN with no issue, failover works as expected and the product works great.  Once I migrate the traffic to my routers my BGP establishes rapidly, routes look logical on both sides confirmed by the carrier, I confirm end to end connectivity with the SBC from the carriers sourced interface from with in the netblock  I receive service from by having pings in both directions sent and confirmed responses end to end.
	The local numbers inbound work fine.  calls complete, IVR answers and things proceed as they should.  There’s one netblock  that contains toll FREE signaling and media.  Calls to the toll free inbound from the carrier show an invite sent and no response, we confirmed this as best as possible with simple ACLs and filters on the other Vendor’s IP elements and we think we basically see one way signaling.
	The interesting bit is I don’t see the ACL in my ASR increment for matches on tcp or UDP 5060 and I don’t log any attempts at all at the firewall level.  This is just one route mind you, others seem to work although the carrier does report that some fail and some work so some net blocks are skipped over and others complete.  Obviously I only see matches when things complete which is making it hard to nail down.  I confirm ping, most other protocols are blocked to the carrier  but it seems we have end to end just no SIP signaling in one direction.  On all blocks I can ping it’s just several SIP won’t pass.  
	I don’t see any SIP ALG or any odd SIP settings in the configurations so I’m lost.  Is there something obvious I’m missing?  The link between us is gigabit Fiber  with absolutely no unusual settings.  The carrier gave me copies of their managed router configurations which I actually attempted to copy as closely as possible and that didn’t work.  What am I missing, any pointers would be most appreciated.

Scott

P.S. I’m very hesitant to say who the carrier is as I don’t want to get anyone including myself in trouble but if anyone happens to work for the carrier I’m dealing with and are familiar with this case / reading this on the mailing list thank you.  the carrier has gone way way out of their way to be helpful and provided some very good resources for long duration maintenance windows not to mention really refrained from the blame game and just tried to help solve the problem so well done.  Really makes a tricky problem that much more tolerable and I genuinely appreciate it.