<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">nope. ASA is still blocking access from "lower security interfaces" toward "higher security interfaces". well, unless you've configured it to a rubber stamp for all security. in which case why is it there?<div><br></div><div>work with the firewall TAC team to debug inspection or make the firewall completely passive, I bet your calls will start working. otherwise, it is well known that the ASA must be upgraded. just upgrade it.</div><div><br></div><div>/wes<br><div><br><div><div>On Jan 24, 2012, at 2:17 PM, Anthony Kouloglou wrote:</div><br class="Apple-interchange-newline">
<meta content="text/html; charset=ISO-8859-7" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
well, i have disabled any kind inspection on the ASA.Isn't that
enough?<br>
ASA does NOT NAT. Isn't that enough?<br>
However, i have to check some corporate linux based vpn endpoints.<br>
<br>
Anthony<br>
<br>
On 24/1/2012 6:30 μμ, Mike King wrote:
<blockquote cite="mid:CANtPpk5PoeD4+nxo_14wPEiohwYJQj9h-HsFhwuvjueACf1qHg@mail.gmail.com" type="cite">Yes.
<div><br>
</div>
<div>But not just 8.6. </div>
<div><br>
</div>
<div><a moz-do-not-send="true" href="https://supportforums.cisco.com/docs/DOC-8131">https://supportforums.cisco.com/docs/DOC-8131</a> </div>
<div><br>
</div>
<div>(Hey Wes, can you fix the link on that to remove the partner
only link (
<span style="color:rgb(51,51,51);font-family:Arial,verdana,sans-serif;font-size:12px;text-align:left;background-color:rgb(255,255,255)"> </span><a moz-do-not-send="true" class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/rel_notes/7_0_1/cucm-rel_notes-701.html#wp584451" style="background-image:initial;background-color:rgb(255,255,255);border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;border-collapse:collapse;font-size:12px;list-style-type:none;list-style-position:initial;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;outline-width:initial;outline-style:none;outline-color:initial;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(47,102,129);text-decoration:none;font-family:Arial,verdana,sans-serif;text-align:left">SCCPv17
significantly changes message formats from previous versions</a> )</div>
<div><br>
</div>
<div>It's when you upgraded the firmware on the Phones.</div>
<div><br>
</div>
<div>The SCCP protocol has version numbers. I'm finding
references all the way up to SCCP version 20 (in 8.5.1).</div>
<div>
<br>
</div>
<div>Looks like ASA version 8.3 only supports up to version 19.</div>
<div><br>
</div>
<div>ASA version 8.4 supports SCCP v2.0 (Don't know what that
means)</div>
<div><br>
</div>
<div>Mike</div>
<div><br>
<div class="gmail_quote">
2012/1/24 Anthony Kouloglou <span dir="ltr"><<a moz-do-not-send="true" href="mailto:akoul@dataways.gr">akoul@dataways.gr</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Mike,<br>
i have completely disabled inspection on an ASA that i
have that does only routing.<br>
The question is: has something changed in SCCP negotiation
in CUCM 8.6?<br>
The whole setup has been working for 3 years!!<span class="HOEnZb"><font color="#888888"><br>
<br>
Anthony</font></span>
<div>
<div class="h5"><br>
<br>
On 24-Jan-12 16:34, Mike King wrote:
<blockquote type="cite">Having been bitten by this,
Check for this.
<div><br>
</div>
<div>Specifically, do you have ASA's doing site to
site VPN's? By default they do INSPECTION, which
can drop SCCP packets they don't recoginize.</div>
<div> <br>
</div>
<div>Mike<br>
<br>
<div class="gmail_quote">2012/1/23 Dennis Heim <span dir="ltr"><<a moz-do-not-send="true" href="mailto:Dennis.Heim@cdw.com" target="_blank">Dennis.Heim@cdw.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div style="WORD-WRAP:break-word">
<div style="direction:ltr;font-size:10pt;font-family:Tahoma"><p>This may have already been mentioned
but building on what Ryan said...
probably between 6.1(2) and 8.6.x you
had a firmware change, probably from
around 8.4ish to 9.x. The sccp version
changes, and it sounds like you might
have some firewall/security device in
the way that is not opening the ports
because it is used to the older version
of skinny.</p><div> <br class="webkit-block-placeholder"></div><p>-Dennis-</p>
<div style="font-size:16px;font-family:Times
New Roman">
<hr>
<div style="DIRECTION:ltr"><font color="#000000" face="Tahoma"><b>From:</b>
<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
[<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
on behalf of Ryan Ratliff [<a moz-do-not-send="true" href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>]<br>
<b>Sent:</b> Monday, January 23,
2012 2:05 PM<br>
<b>To:</b> Anthony Kouloglou<br>
<b>Cc:</b> Mike; <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a>
<div>
<div><br>
<b>Subject:</b> Re: [cisco-voip]
After upgrade to 8.6.2a one way
audio for some calls-No codec
selected!<br>
</div>
</div>
</font><br>
</div>
<div>
<div>
<div>If the phone don't show a codec
when the call is set up then this
isn't a typical routing issue.
The most obvious reason for the
phone not sending audio is it
isn't getting the skinny
StartMediaTransmission message
from CUCM.
<div>Have you looked at ccm traces
for one of these calls? When
you do look at the messages
going to and from the phones in
the call. Compare/contrast what
you see there to a working call
and call out what's different.</div>
<div><br>
</div>
<div>You can get a packet capture
at the phone as well to see what
it is being told to send to from
CUCM. I'd also double check
there's nothing in the network
doing sccp inspection. You can
get a simultaneous packet
capture at the phone and cucm to
make sure every packet leaving
the server gets to the phone
(intact).</div>
<div><br>
<div><span style="border-collapse:separate;text-indent:0px;letter-spacing:normal;text-transform:none;font:medium
Helvetica;white-space:normal;word-spacing:0px">
<div>-Ryan</div>
</span></div>
<br>
<div>
<div>On Jan 23, 2012, at 1:48
PM, Anthony Kouloglou wrote:</div>
<br>
<div bgcolor="#FFFFFF">There
is no way that this is the
problem.<br>
In one remote site i had
only one 7911 working fine
with CUCM 6.1.2.<br>
After the upgrade to 8.6.2a,
even this old phone is
having the same issue!<br>
I keep having on the phone
status: failed to update itl
.<br>
<br>
On 23/1/2012 8:09 μμ, Peter
Slow wrote:
<blockquote type="cite">I
think what MIke meant was
"Check the routing path
between the two phones."<br>
<br>
-Peter<br>
<br>
<br>
<div class="gmail_quote">On
Mon, Jan 23, 2012 at
12:41 PM, Mike <span dir="ltr"><<a moz-do-not-send="true" href="mailto:mikeeo@msn.com" target="_blank">mikeeo@msn.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT:1ex;MARGIN:0px
0px 0px
0.8ex;BORDER-LEFT:#ccc
1px solid">
<div bgcolor="white" lang="EN-US">
<div><p class="MsoNormal"><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'">Your
key statement
is this:</span></p>
<div>
<div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
</div><p class="MsoNormal">Then,
we moved it to
another
subnet.<br>
It got
registered but
not audio in
one way!</p>
<div><br>
</div>
</div><p class="MsoNormal">Check
your routing
path to the CM.<span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span></p>
<div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
</div>
<div>
<div style="BORDER-RIGHT:medium
none;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
1pt
solid;PADDING-LEFT:0in;PADDING-BOTTOM:0in;BORDER-LEFT:medium
none;PADDING-TOP:3pt;BORDER-BOTTOM:medium
none"><p class="MsoNormal"><b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">From:</span></b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">
<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
[mailto:<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf
Of </b>Anthony
Kouloglou<br>
<b>Sent:</b>
Monday,
January 23,
2012 10:15 AM<br>
<b>To:</b>
Nate VanMaren<br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a><br>
<b>Subject:</b>
Re:
[cisco-voip]
After upgrade
to 8.6.2a one
way audio for
some calls-No
codec
selected!</span></p>
</div>
</div>
<div>
<div>
<div><br>
</div><p class="MsoNormal">Yes!<br>
Everything
seems to be as
it supposed to
be!<br>
One Phone got
registered at
the main site.
Worked fine.<br>
Then, we moved
it to another
subnet.<br>
It got
registered but
not audio in
one way!<br>
<br>
Can't this
ITL/CTL
feature/bug be
disabled?<br>
<br>
On 20-Jan-12
17:26, Nate
VanMaren
wrote: </p><p class="MsoNormal"><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'">Are
your phones
running
firmware you
expect them to
be?</span></p>
<div><span style="FONT-SIZE:11pt;COLOR:#1f497d;FONT-FAMILY:'Calibri','sans-serif'"></span><br>
</div>
<div>
<div style="BORDER-RIGHT:medium
none;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
1pt
solid;PADDING-LEFT:0in;PADDING-BOTTOM:0in;BORDER-LEFT:medium
none;PADDING-TOP:3pt;BORDER-BOTTOM:medium
none"><p class="MsoNormal"><b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">From:</span></b><span style="FONT-SIZE:10pt;COLOR:windowtext;FONT-FAMILY:'Tahoma','sans-serif'">
<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
[<a moz-do-not-send="true" href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf
Of </b>Anthony
Kouloglou<br>
<b>Sent:</b>
Friday,
January 20,
2012 1:33 AM<br>
<b>To:</b> <a moz-do-not-send="true" href="mailto:cisco-voip@puck-nether.net" target="_blank">cisco-voip@puck-nether.net</a><br>
<b>Subject:</b>
[cisco-voip]
After upgrade
to 8.6.2a one
way audio for
some calls-No
codec
selected!</span></p>
</div>
</div>
<div><br>
</div><p class="MsoNormal">Hi
all,<br>
here is a
tough one! <br>
I recently
upgraded my
6.1 cluster to
8.6.2a.<br>
Since my
Hardware was
7825H3
typically it
was not an
upgrade rather
than a fresh
install using
a usb drive
(cisco has
this procedure
for these type
of servers)<br>
The upgrade
was smooth for
pub and one
sub.<br>
All phones
reregistered
and upgraded.<br>
In the main
site there are
20 devices
(7975, 7961,
7911) and at 2
remote sites 2
devices (one
at each site).<br>
After the
upgrade:<br>
all phones in
the main site
can talk to
each other.<br>
The two remote
phones can
talk to each
other.<br>
Each of the
remote phones
when talking
to main site
have one way
audio!<br>
The remote
site does not
hear the main
site always.<br>
There is no
firewall/NAT
between the
sites.<br>
I noticed that
there is no
codec selected
for the audio
stream that
has the
problems and
so no transmit
(or received
packets for
the other).<br>
And i explain:
in an active
call between
the main site
and a remote i
checked the
send/received
codecs and
statistics.<br>
the main site
had g711 as
received codec
and of course
the received
packets
augmented<br>
but there was
none as send
codec and of
course no
packets
transmited.<br>
In the remote
site the
findings were
inversed (no
receive codec
and no receive
packets<br>
<br>
lease advise<br>
<br>
BR<br>
Anthony</p>
<div><p class="MsoNormal"><span style="FONT-SIZE:10pt;FONT-FAMILY:'Calibri','sans-serif'"><br>
<br>
<br>
<br>
</span></p>
</div>
<div><p class="MsoNormal"><span style="COLOR:#666666"><br>
<br>
NOTICE: This
email message
is for the
sole use of
the intended
recipient(s)
and may
contain
confidential
and privileged
information.
Any
unauthorized
review, use,
disclosure or
distribution
is prohibited.
If you are not
the intended
recipient,
please contact
the sender by
reply email
and destroy
all copies of
the original
message.</span></p>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing
list<br>
<a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</blockquote>
<br>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div><br></div></div></body></html>