Run away connections for SIP MTAs on an ASA

Posted on 2009-07-13
Last Modified: 2013-12-29
We have approximately 1000 MTA's routed through a cisco ASA with failover running version 8.2(1) This has worked fine for several months until today when suddenly calls started dropping and the MTA's would not reconnect. Then the number off connections on the ASA started ramping up to 4000 connections (where it had been normally sitting at about 1500) then it would fail over to the second ASA and the cycle would begin again.

We originally had version 7.2(3) and after the problem started, we were advised to upgrade, but no improvement was made.

By adjusting the sip time out down to 5 minutes (From 30) we can control the rate of failure better, but that is all.

We suspect our vendor that is supplying the dial tone made some change or had some failure, but is not fessing up (not the first time) but we have to prove they are the problem before they will do anything.

Any help or guidance as to what we should do next would be appreciated!

ASA Version 8.2(1) 


hostname voipasa1

: Saved

: Written by enable_15 at 00:54:14.499 UTC Tue Jul 14 2009


ASA Version 8.2(1) 


hostname voipasa1


enable password s8MB4sBN1leN6LzZ encrypted

passwd q3vfYQJHx.L0KLPi encrypted



interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 


interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 


interface GigabitEthernet0/2


interface GigabitEthernet0/2.1

 description LAN Failover Interface

 vlan 11


interface GigabitEthernet0/2.2

 description STATE Failover Interface

 vlan 12


interface GigabitEthernet0/3

 nameif phoneco

 security-level 0

 ip address 


interface Management0/0


 no nameif

 no security-level

 no ip address


boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS


object-group network VOIPPhones


access-list acl_out extended permit icmp any any 

access-list acl_out extended permit udp host any 

access-list phoneco_access_in extended permit icmp any any 

access-list phoneco_access_in extended permit udp host any 

pager lines 24

logging enable

logging trap debugging

logging asdm informational

logging device-id hostname

logging host outside

mtu outside 1500

mtu inside 1500

mtu phoneco 1500


failover lan unit secondary

failover lan interface failover GigabitEthernet0/2.1

failover key fubar

failover link state GigabitEthernet0/2.2

failover interface ip failover standby

failover interface ip state standby

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (phoneco) 1 interface

nat (inside) 1

access-group acl_out in interface outside

access-group phoneco_access_in in interface phoneco

route phoneco 1 track 1

route outside 254

route inside 1

route inside 1

route inside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:05:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http outside

http outside

snmp-server host outside poll community boogers

snmp-server host outside poll community boogers

snmp-server host outside poll community boogers

snmp-server location Data Center

no snmp-server contact

snmp-server community boogers

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

 type echo protocol ipIcmpEcho interface phoneco

 num-packets 3

 frequency 10

sla monitor schedule 123 life forever start-time now

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000


track 1 rtr 123 reachability

telnet timeout 5

ssh outside

ssh outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server outside voip.cfg



class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect xdmcp 

  inspect sip  


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:claytarget
  • 2
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24846696

Did you upgraded the memory of your ASA, the 8.2(1) experience of love, if there are some 512M of memory!

Best Regards,

Author Comment

ID: 24848179
Already have 512M ram in the ASA

Expert Comment

ID: 24848615
what does the asa logs show is happening with all the sessions? i would expect you are seeing lots of torn down half open due to time-out messages?
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24872491
had you tried to downgrade back 8.1.3 ?

Accepted Solution

claytarget earned 0 total points
ID: 25300441
Discovered (after several rather ugly phone conferences) that the provider changed several settings on their end which caused the problem.

After finding out about the changes, we were able to reconfigure our equipment appropriately.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now