<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">nope.  ASA is still blocking access from "lower security interfaces" toward "higher security interfaces". well, unless you've configured it to a rubber stamp for all security. in which case why is it there?<div><br></div><div>work with the firewall TAC team to debug inspection or make the firewall completely passive, I bet your calls will start working.  otherwise, it is well known that the ASA must be upgraded.  just upgrade it.</div><div><br></div><div>/wes<br><div><br><div><div>On Jan 24, 2012, at 2:17 PM, Anthony Kouloglou wrote:</div><br class="Apple-interchange-newline">
  
    <meta content="text/html; charset=ISO-8859-7" http-equiv="Content-Type">
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hi all,<br>
    well, i have disabled any kind inspection on the ASA.Isn't that
    enough?<br>
    ASA does NOT NAT. Isn't that enough?<br>
    However, i have to check some corporate linux based vpn endpoints.<br>
    <br>
    Anthony<br>
    <br>
    On 24/1/2012 6:30 μμ, Mike King wrote:
    <blockquote cite="mid:CANtPpk5PoeD4+nxo_14wPEiohwYJQj9h-HsFhwuvjueACf1qHg@mail.gmail.com" type="cite">Yes.
      <div><br>
      </div>
      <div>But not just 8.6. </div>
      <div><br>
      </div>
      <div><a moz-do-not-send="true" href="https://supportforums.cisco.com/docs/DOC-8131">https://supportforums.cisco.com/docs/DOC-8131</a> </div>
      <div><br>
      </div>
      <div>(Hey Wes, can you fix the link on that to remove the partner
        only link (
        <span style="color:rgb(51,51,51);font-family:Arial,verdana,sans-serif;font-size:12px;text-align:left;background-color:rgb(255,255,255)"> </span><a moz-do-not-send="true" class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/rel_notes/7_0_1/cucm-rel_notes-701.html#wp584451" style="background-image:initial;background-color:rgb(255,255,255);border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;border-collapse:collapse;font-size:12px;list-style-type:none;list-style-position:initial;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;outline-width:initial;outline-style:none;outline-color:initial;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(47,102,129);text-decoration:none;font-family:Arial,verdana,sans-serif;text-align:left">SCCPv17
          significantly changes message formats from previous versions</a> )</div>
      <div><br>
      </div>
      <div>It's when you upgraded the firmware on the Phones.</div>
      <div><br>
      </div>
      <div>The SCCP protocol has version numbers.  I'm finding
        references all the way up to SCCP version 20 (in 8.5.1).</div>
      <div>
        <br>
      </div>
      <div>Looks like ASA version 8.3 only supports up to version 19.</div>
      <div><br>
      </div>
      <div>ASA version 8.4 supports SCCP v2.0  (Don't know what that
        means)</div>
      <div><br>
      </div>
      <div>Mike</div>
      <div><br>
        <div class="gmail_quote">
          2012/1/24 Anthony Kouloglou <span dir="ltr"><<a moz-do-not-send="true" href="mailto:akoul@dataways.gr">akoul@dataways.gr</a>></span><br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Hi Mike,<br>
              i have completely disabled inspection on an ASA that i
              have that does only routing.<br>
              The question is: has something changed in SCCP negotiation
              in CUCM 8.6?<br>
              The whole setup has been working for 3 years!!<span class="HOEnZb"><font color="#888888"><br>
                  <br>
                  Anthony</font></span>
              <div>
                <div class="h5"><br>
                  <br>
                  On 24-Jan-12 16:34, Mike King wrote:
                  <blockquote type="cite">Having been bitten by this,
                    Check for this.
                    <div><br>
                    </div>
                    <div>Specifically, do you have ASA's doing site to
                      site VPN's?  By default they do INSPECTION, which
                      can drop SCCP packets they don't recoginize.</div>
                    <div> <br>
                    </div>
                    <div>Mike<br>
                      <br>
                      <div class="gmail_quote">2012/1/23 Dennis Heim <span dir="ltr"><<a moz-do-not-send="true" href="mailto:Dennis.Heim@cdw.com" target="_blank">Dennis.Heim@cdw.com</a>></span><br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div style="WORD-WRAP:break-word">
                            <div style="direction:ltr;font-size:10pt;font-family:Tahoma"><p>This may have already been mentioned
                                but building on what Ryan said...
                                probably between 6.1(2) and 8.6.x you
                                had a firmware change, probably from
                                around 8.4ish to 9.x. The sccp version
                                changes, and it sounds like you might
                                have some firewall/security device in
                                the way that is not opening the ports
                                because it is used to the older version
                                of skinny.</p><div> <br class="webkit-block-placeholder"></div><p>-Dennis-</p>
                              <div style="font-size:16px;font-family:Times
                                New Roman">
                                <hr>
                                <div style="DIRECTION:ltr"><font color="#000000" face="Tahoma"><b>From:</b>
                                    <a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
                                    [<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
                                    on behalf of Ryan Ratliff [<a moz-do-not-send="true" href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>]<br>
                                    <b>Sent:</b> Monday, January 23,
                                    2012 2:05 PM<br>
                                    <b>To:</b> Anthony Kouloglou<br>
                                    <b>Cc:</b> Mike; <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a>
                                    <div>
                                      <div><br>
                                        <b>Subject:</b> Re: [cisco-voip]
                                        After upgrade to 8.6.2a one way
                                        audio for some calls-No codec
                                        selected!<br>
                                      </div>
                                    </div>
                                  </font><br>
                                </div>
                                <div>
                                  <div>
                                    <div>If the phone don't show a codec
                                      when the call is set up then this
                                      isn't a typical routing issue.
                                       The most obvious reason for the
                                      phone not sending audio is it
                                      isn't getting the skinny
                                      StartMediaTransmission message
                                      from CUCM.  
                                      <div>Have you looked at ccm traces
                                        for one of these calls?   When
                                        you do look at the messages
                                        going to and from the phones in
                                        the call. Compare/contrast what
                                        you see there to a working call
                                        and call out what's different.</div>
                                      <div><br>
                                      </div>
                                      <div>You can get a packet capture
                                        at the phone as well to see what
                                        it is being told to send to from
                                        CUCM.   I'd also double check
                                        there's nothing in the network
                                        doing sccp inspection.   You can
                                        get a simultaneous packet
                                        capture at the phone and cucm to
                                        make sure every packet leaving
                                        the server gets to the phone
                                        (intact).</div>
                                      <div><br>
                                        <div><span style="border-collapse:separate;text-indent:0px;letter-spacing:normal;text-transform:none;font:medium
Helvetica;white-space:normal;word-spacing:0px">
                                            <div>-Ryan</div>
                                          </span></div>
                                        <br>
                                        <div>
                                          <div>On Jan 23, 2012, at 1:48
                                            PM, Anthony Kouloglou wrote:</div>
                                          <br>
                                          <div bgcolor="#FFFFFF">There
                                            is no way that this is the
                                            problem.<br>
                                            In one remote site i had
                                            only one 7911 working fine
                                            with CUCM 6.1.2.<br>
                                            After the upgrade to 8.6.2a,
                                            even this old phone is
                                            having the same issue!<br>
                                            I keep having on the phone
                                            status: failed to update itl
                                            .<br>
                                            <br>
                                            On 23/1/2012 8:09 μμ, Peter
                                            Slow wrote:
                                            <blockquote type="cite">I
                                              think what MIke meant was
                                              "Check the routing path
                                              between the two phones."<br>
                                              <br>
                                              -Peter<br>
                                              <br>
                                              <br>
                                              <div class="gmail_quote">On
                                                Mon, Jan 23, 2012 at
                                                12:41 PM, Mike <span dir="ltr"><<a moz-do-not-send="true" href="mailto:mikeeo@msn.com" target="_blank">mikeeo@msn.com</a>></span>
                                                wrote:<br>
                                                <blockquote class="gmail_quote" style="PADDING-LEFT:1ex;MARGIN:0px
                                                  0px 0px
                                                  0.8ex;BORDER-LEFT:#ccc
                                                  1px solid">
                                                  <div bgcolor="white" lang="EN-US">
                                                    <div><p class="MsoNormal"><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'">Your

                                                          key statement
                                                          is this:</span></p>
                                                      <div>
                                                        <div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
                                                           </div><p class="MsoNormal">Then,
                                                          we moved it to
                                                          another
                                                          subnet.<br>
                                                          It got
                                                          registered but
                                                          not audio in
                                                          one way!</p>
                                                        <div><br>
                                                           </div>
                                                      </div><p class="MsoNormal">Check
                                                        your routing
                                                        path to the CM.<span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span></p>
                                                      <div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
                                                         </div>
                                                      <div>
                                                        <div style="BORDER-RIGHT:medium
                                                          none;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
                                                          1pt
                                                          solid;PADDING-LEFT:0in;PADDING-BOTTOM:0in;BORDER-LEFT:medium
                                                          none;PADDING-TOP:3pt;BORDER-BOTTOM:medium
                                                          none"><p class="MsoNormal"><b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">From:</span></b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">
                                                          <a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
                                                          [mailto:<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
                                                          <b>On Behalf
                                                          Of </b>Anthony

                                                          Kouloglou<br>
                                                          <b>Sent:</b>
                                                          Monday,
                                                          January 23,
                                                          2012 10:15 AM<br>
                                                          <b>To:</b>
                                                          Nate VanMaren<br>
                                                          <b>Cc:</b> <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a><br>
                                                          <b>Subject:</b>
                                                          Re:
                                                          [cisco-voip]
                                                          After upgrade
                                                          to 8.6.2a one
                                                          way audio for
                                                          some calls-No
                                                          codec
                                                          selected!</span></p>
                                                        </div>
                                                      </div>
                                                      <div>
                                                        <div>
                                                          <div><br>
                                                           </div><p class="MsoNormal">Yes!<br>
                                                          Everything
                                                          seems to be as
                                                          it supposed to
                                                          be!<br>
                                                          One Phone got
                                                          registered at
                                                          the main site.
                                                          Worked fine.<br>
                                                          Then, we moved
                                                          it to another
                                                          subnet.<br>
                                                          It got
                                                          registered but
                                                          not audio in
                                                          one way!<br>
                                                          <br>
                                                          Can't this
                                                          ITL/CTL
                                                          feature/bug be
                                                          disabled?<br>
                                                          <br>
                                                          On 20-Jan-12
                                                          17:26, Nate
                                                          VanMaren
                                                          wrote: </p><p class="MsoNormal"><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'">Are

                                                          your phones
                                                          running
                                                          firmware you
                                                          expect them to
                                                          be?</span></p>
                                                          <div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
                                                           </div>
                                                          <div>
                                                          <div style="BORDER-RIGHT:medium
                                                          none;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
                                                          1pt
                                                          solid;PADDING-LEFT:0in;PADDING-BOTTOM:0in;BORDER-LEFT:medium
                                                          none;PADDING-TOP:3pt;BORDER-BOTTOM:medium
                                                          none"><p class="MsoNormal"><b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">From:</span></b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">
                                                          <a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
                                                          [<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]
                                                          <b>On Behalf
                                                          Of </b>Anthony

                                                          Kouloglou<br>
                                                          <b>Sent:</b>
                                                          Friday,
                                                          January 20,
                                                          2012 1:33 AM<br>
                                                          <b>To:</b> <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a><br>
                                                          <b>Subject:</b>
                                                          [cisco-voip]
                                                          After upgrade
                                                          to 8.6.2a one
                                                          way audio for
                                                          some calls-No
                                                          codec
                                                          selected!</span></p>
                                                          </div>
                                                          </div>
                                                          <div><br>
                                                           </div><p class="MsoNormal">Hi
                                                          all,<br>
                                                          here is a
                                                          tough one! <br>
                                                          I recently
                                                          upgraded my
                                                          6.1 cluster to
                                                          8.6.2a.<br>
                                                          Since my
                                                          Hardware was
                                                          7825H3
                                                          typically it
                                                          was not an
                                                          upgrade rather
                                                          than a fresh
                                                          install using
                                                          a usb drive
                                                          (cisco has
                                                          this procedure
                                                          for these type
                                                          of servers)<br>
                                                          The upgrade
                                                          was smooth for
                                                          pub and one
                                                          sub.<br>
                                                          All phones
                                                          reregistered
                                                          and upgraded.<br>
                                                          In the main
                                                          site there are
                                                          20 devices
                                                          (7975, 7961,
                                                          7911) and at 2
                                                          remote sites 2
                                                          devices (one
                                                          at each site).<br>
                                                          After the
                                                          upgrade:<br>
                                                          all phones in
                                                          the main site
                                                          can talk to
                                                          each other.<br>
                                                          The two remote
                                                          phones can
                                                          talk to each
                                                          other.<br>
                                                          Each of the
                                                          remote phones
                                                          when talking
                                                          to main site
                                                          have one way
                                                          audio!<br>
                                                          The remote
                                                          site does not
                                                          hear the main
                                                          site always.<br>
                                                          There is no
                                                          firewall/NAT 
                                                          between the
                                                          sites.<br>
                                                          I noticed that
                                                          there is no
                                                          codec selected
                                                          for the audio
                                                          stream that
                                                          has the
                                                          problems and
                                                          so no transmit
                                                          (or received
                                                          packets for
                                                          the other).<br>
                                                          And i explain:
                                                          in an active
                                                          call between
                                                          the main site
                                                          and a remote i
                                                          checked the
                                                          send/received
                                                          codecs and
                                                          statistics.<br>
                                                          the main site
                                                          had g711 as
                                                          received codec
                                                          and of course
                                                          the received
                                                          packets
                                                          augmented<br>
                                                          but there was
                                                          none as send
                                                          codec and of
                                                          course no
                                                          packets
                                                          transmited.<br>
                                                          In the remote
                                                          site the
                                                          findings were
                                                          inversed (no
                                                          receive codec
                                                          and no receive
                                                          packets<br>
                                                          <br>
                                                          lease advise<br>
                                                          <br>
                                                          BR<br>
                                                          Anthony</p>
                                                          <div><p class="MsoNormal"><span style="FONT-SIZE:10pt;FONT-FAMILY:'Calibri','sans-serif'"><br>
                                                          <br>
                                                          <br>
                                                          <br>
                                                          </span></p>
                                                          </div>
                                                          <div><p class="MsoNormal"><span style="COLOR:#666666"><br>
                                                          <br>
                                                          NOTICE: This
                                                          email message
                                                          is for the
                                                          sole use of
                                                          the intended
                                                          recipient(s)
                                                          and may
                                                          contain
                                                          confidential
                                                          and privileged
                                                          information.
                                                          Any
                                                          unauthorized
                                                          review, use,
                                                          disclosure or
                                                          distribution
                                                          is prohibited.
                                                          If you are not
                                                          the intended
                                                          recipient,
                                                          please contact
                                                          the sender by
                                                          reply email
                                                          and destroy
                                                          all copies of
                                                          the original
                                                          message.</span></p>
                                                          <div><br>
                                                           </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <br>
_______________________________________________<br>
                                                  cisco-voip mailing
                                                  list<br>
                                                  <a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
                                                  <a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
                                                  <br>
                                                </blockquote>
                                              </div>
                                              <br>
                                            </blockquote>
                                            <br>
                                          </div>
_______________________________________________<br>
                                          cisco-voip mailing list<br>
                                          <a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
                                          <a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                          <br>
_______________________________________________<br>
                          cisco-voip mailing list<br>
                          <a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
                          <a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

</div><br></div></div></body></html>