[c-nsp] Really strange SIP (I think issue) on an ASR 1001X

[Brian Turnbow]

Hi,


> Hi, this is a really strange problem for me and I’m hoping some others 
> might
> have a clue because I’m a bit confused. It’s also long and involved so 
> anyone
> busy or not interested stop here.
>
> I have an IPVPN service from a carrier delivered presently over a pair of 
> 2921
> managed routers that carries voice traffic.  I want to increase it’s 
> capacity so
> the carrier is working with me to migrate these circuits on to a pair of 
> ASR
> 1001X routers I have at the edge.  Presently these managed devices connect 
> to
> some firewalls that filter and route statically the traffic to SIP 
> controllers.
> Nothing to complicated.  The number of routes in the table is in the tens 
> so
> very small.  BGP is used to distribute routs in to the table from the 
> carrier and
> to announce my networks.  Not a lot of prefix filtering it seems since it’s 
> a
> closed environment.  My firewalls attach to the ASR pair in question in 
> another
> zone but changes are made to update the static routing and security rules.
> 	Using their managed routers I’m able to complete calls from the PSTN
> with no issue, failover works as expected and the product works great. 
> Once I
> migrate the traffic to my routers my BGP establishes rapidly, routes look 
> logical
> on both sides confirmed by the carrier, I confirm end to end connectivity 
> with
> the SBC from the carriers sourced interface from with in the netblock  I 
> receive
> service from by having pings in both directions sent and confirmed 
> responses
> end to end.
> 	The local numbers inbound work fine.  calls complete, IVR answers and
> things proceed as they should.  There’s one netblock  that contains toll 
> FREE
> signaling and media.  Calls to the toll free inbound from the carrier show 
> an
> invite sent and no response, we confirmed this as best as possible with 
> simple
> ACLs and filters on the other Vendor’s IP elements and we think we 
> basically
> see one way signaling.
> 	The interesting bit is I don’t see the ACL in my ASR increment for
> matches on tcp or UDP 5060 and I don’t log any attempts at all at the 
> firewall
> level.  This is just one route mind you, others seem to work although the 
> carrier
> does report that some fail and some work so some net blocks are skipped 
> over
> and others complete.  Obviously I only see matches when things complete
> which is making it hard to nail down.  I confirm ping, most other 
> protocols are
> blocked to the carrier  but it seems we have end to end just no SIP 
> signaling in
> one direction.  On all blocks I can ping it’s just several SIP won’t pass.
> 	I don’t see any SIP ALG or any odd SIP settings in the configurations so
> I’m lost.  Is there something obvious I’m missing?  The link between us is
> gigabit Fiber  with absolutely no unusual settings.  The carrier gave me 
> copies
> of their managed router configurations which I actually attempted to copy 
> as
> closely as possible and that didn’t work.  What am I missing, any pointers
> would be most appreciated.

I've had similar issues with a carrier here in Italy  and they were related 
to specific source/destination ip pairs and udp traffic.
Changing the ip on our side resolved the issue.
They say it is related to their load balancers, they reset them it works for 
a month and then starts again.
A real pain to troubleshoot and convince them they had a problem...
we used sipsak for testing and sent captures for a week before they figured 
it out.

Brian