Run away connections for SIP MTAs on an ASA

Posted on 2009-07-13
Medium Priority
Last Modified: 2013-12-29
We have approximately 1000 MTA's routed through a cisco ASA with failover running version 8.2(1) This has worked fine for several months until today when suddenly calls started dropping and the MTA's would not reconnect. Then the number off connections on the ASA started ramping up to 4000 connections (where it had been normally sitting at about 1500) then it would fail over to the second ASA and the cycle would begin again.

We originally had version 7.2(3) and after the problem started, we were advised to upgrade, but no improvement was made.

By adjusting the sip time out down to 5 minutes (From 30) we can control the rate of failure better, but that is all.

We suspect our vendor that is supplying the dial tone made some change or had some failure, but is not fessing up (not the first time) but we have to prove they are the problem before they will do anything.

Any help or guidance as to what we should do next would be appreciated!

ASA Version 8.2(1) 
hostname voipasa1
: Saved
: Written by enable_15 at 00:54:14.499 UTC Tue Jul 14 2009
ASA Version 8.2(1) 
hostname voipasa1
domain-name myco.org
enable password s8MB4sBN1leN6LzZ encrypted
passwd q3vfYQJHx.L0KLPi encrypted
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 
interface GigabitEthernet0/2
interface GigabitEthernet0/2.1
 description LAN Failover Interface
 vlan 11
interface GigabitEthernet0/2.2
 description STATE Failover Interface
 vlan 12
interface GigabitEthernet0/3
 nameif phoneco
 security-level 0
 ip address 
interface Management0/0
 no nameif
 no security-level
 no ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name myco.org
object-group network VOIPPhones
access-list acl_out extended permit icmp any any 
access-list acl_out extended permit udp host any 
access-list phoneco_access_in extended permit icmp any any 
access-list phoneco_access_in extended permit udp host any 
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging device-id hostname
logging host outside
mtu outside 1500
mtu inside 1500
mtu phoneco 1500
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2.1
failover key fubar
failover link state GigabitEthernet0/2.2
failover interface ip failover standby
failover interface ip state standby
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (phoneco) 1 interface
nat (inside) 1
access-group acl_out in interface outside
access-group phoneco_access_in in interface phoneco
route phoneco 1 track 1
route outside 254
route inside 1
route inside 1
route inside 1
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:05:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http outside
http outside
snmp-server host outside poll community boogers
snmp-server host outside poll community boogers
snmp-server host outside poll community boogers
snmp-server location Data Center
no snmp-server contact
snmp-server community boogers
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho interface phoneco
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 123 reachability
telnet timeout 5
ssh outside
ssh outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server outside voip.cfg
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect sip  
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:claytarget
  • 2
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24846696

Did you upgraded the memory of your ASA, the 8.2(1) experience of love, if there are some 512M of memory!


Best Regards,

Author Comment

ID: 24848179
Already have 512M ram in the ASA

Expert Comment

ID: 24848615
what does the asa logs show is happening with all the sessions? i would expect you are seeing lots of torn down half open due to time-out messages?
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24872491
had you tried to downgrade back 8.1.3 ?

Accepted Solution

claytarget earned 0 total points
ID: 25300441
Discovered (after several rather ugly phone conferences) that the provider changed several settings on their end which caused the problem.

After finding out about the changes, we were able to reconfigure our equipment appropriately.


Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question