[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.8

Run away connections for SIP MTAs on an ASA

Asked by claytarget in Telecommunications Providers, Cisco PIX Firewall

Tags: ASA SIP NAT

We have approximately 1000 MTA's routed through a cisco ASA with failover running version 8.2(1) This has worked fine for several months until today when suddenly calls started dropping and the MTA's would not reconnect. Then the number off connections on the ASA started ramping up to 4000 connections (where it had been normally sitting at about 1500) then it would fail over to the second ASA and the cycle would begin again.

We originally had version 7.2(3) and after the problem started, we were advised to upgrade, but no improvement was made.

By adjusting the sip time out down to 5 minutes (From 30) we can control the rate of failure better, but that is all.

We suspect our vendor that is supplying the dial tone made some change or had some failure, but is not fessing up (not the first time) but we have to prove they are the problem before they will do anything.

Any help or guidance as to what we should do next would be appreciated! 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:

ASA Version 8.2(1) 
!
hostname voipasa1
: Saved
: Written by enable_15 at 00:54:14.499 UTC Tue Jul 14 2009
!
ASA Version 8.2(1) 
!
hostname voipasa1
domain-name myco.org
enable password s8MB4sBN1leN6LzZ encrypted
passwd q3vfYQJHx.L0KLPi encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.13.0.1 255.255.255.0 
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/2.1
 description LAN Failover Interface
 vlan 11
!
interface GigabitEthernet0/2.2
 description STATE Failover Interface
 vlan 12
!
interface GigabitEthernet0/3
 nameif phoneco
 security-level 0
 ip address 10.35.0.158 255.255.255.252 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name myco.org
object-group network VOIPPhones
 network-object 10.0.0.0 255.0.0.0
access-list acl_out extended permit icmp any any 
access-list acl_out extended permit udp host 4.4.4.164 any 
access-list phoneco_access_in extended permit icmp any any 
access-list phoneco_access_in extended permit udp host 4.4.4.164 any 
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging device-id hostname
logging host outside 2.2.2.21
mtu outside 1500
mtu inside 1500
mtu phoneco 1500
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2.1
failover key fubar
failover link state GigabitEthernet0/2.2
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (phoneco) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group acl_out in interface outside
access-group phoneco_access_in in interface phoneco
route phoneco 0.0.0.0 0.0.0.0 10.35.0.157 1 track 1
route outside 0.0.0.0 0.0.0.0 1.1.1.1 254
route inside 10.0.0.0 255.224.0.0 10.13.0.2 1
route inside 10.11.0.0 255.255.0.0 10.13.0.2 1
route inside 10.12.0.0 255.255.0.0 10.13.0.2 1
route outside 2.2.2.0 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:05:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 2.2.2.4 255.255.255.255 outside
http 2.2.2.104 255.255.255.255 outside
snmp-server host outside 2.2.2.104 poll community boogers
snmp-server host outside 2.2.2.98 poll community boogers
snmp-server host outside 2.2.2.252 poll community boogers
snmp-server location Data Center
no snmp-server contact
snmp-server community boogers
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 3.3.3.162 interface phoneco
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 2.2.2.104 255.255.255.255 outside
ssh 2.2.2.4 255.255.255.255 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server outside 2.2.2.2 voip.cfg
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect sip  
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:b48638f7be1f3b87ac793ee2e5acf547
: end
[+][-]07/13/09 11:27 PM, ID: 24846696Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/14/09 04:31 AM, ID: 24848179Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07/14/09 05:27 AM, ID: 24848615Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/16/09 11:58 AM, ID: 24872491Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]09/10/09 07:17 AM, ID: 25300441Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Telecommunications Providers, Cisco PIX Firewall
Tags: ASA SIP NAT
Sign Up Now!
Solution Provided By: claytarget
Participating Experts: 2
Solution Grade: A
 
 
Loading Advertisement...
20091021-EE-VQP-81 - Hierarchy / EE_QW_3_20080625