Solved

Run away connections for SIP MTAs on an ASA

Posted on 2009-07-13
5
781 Views
Last Modified: 2013-12-29
We have approximately 1000 MTA's routed through a cisco ASA with failover running version 8.2(1) This has worked fine for several months until today when suddenly calls started dropping and the MTA's would not reconnect. Then the number off connections on the ASA started ramping up to 4000 connections (where it had been normally sitting at about 1500) then it would fail over to the second ASA and the cycle would begin again.

We originally had version 7.2(3) and after the problem started, we were advised to upgrade, but no improvement was made.

By adjusting the sip time out down to 5 minutes (From 30) we can control the rate of failure better, but that is all.

We suspect our vendor that is supplying the dial tone made some change or had some failure, but is not fessing up (not the first time) but we have to prove they are the problem before they will do anything.

Any help or guidance as to what we should do next would be appreciated!

ASA Version 8.2(1) 

!

hostname voipasa1

: Saved

: Written by enable_15 at 00:54:14.499 UTC Tue Jul 14 2009

!

ASA Version 8.2(1) 

!

hostname voipasa1

domain-name myco.org

enable password s8MB4sBN1leN6LzZ encrypted

passwd q3vfYQJHx.L0KLPi encrypted

names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 1.1.1.2 255.255.255.248 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.13.0.1 255.255.255.0 

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/2.1

 description LAN Failover Interface

 vlan 11

!

interface GigabitEthernet0/2.2

 description STATE Failover Interface

 vlan 12

!

interface GigabitEthernet0/3

 nameif phoneco

 security-level 0

 ip address 10.35.0.158 255.255.255.252 

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name myco.org

object-group network VOIPPhones

 network-object 10.0.0.0 255.0.0.0

access-list acl_out extended permit icmp any any 

access-list acl_out extended permit udp host 4.4.4.164 any 

access-list phoneco_access_in extended permit icmp any any 

access-list phoneco_access_in extended permit udp host 4.4.4.164 any 

pager lines 24

logging enable

logging trap debugging

logging asdm informational

logging device-id hostname

logging host outside 2.2.2.21

mtu outside 1500

mtu inside 1500

mtu phoneco 1500

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/2.1

failover key fubar

failover link state GigabitEthernet0/2.2

failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (phoneco) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

access-group acl_out in interface outside

access-group phoneco_access_in in interface phoneco

route phoneco 0.0.0.0 0.0.0.0 10.35.0.157 1 track 1

route outside 0.0.0.0 0.0.0.0 1.1.1.1 254

route inside 10.0.0.0 255.224.0.0 10.13.0.2 1

route inside 10.11.0.0 255.255.0.0 10.13.0.2 1

route inside 10.12.0.0 255.255.0.0 10.13.0.2 1

route outside 2.2.2.0 255.255.255.0 1.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:05:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 2.2.2.4 255.255.255.255 outside

http 2.2.2.104 255.255.255.255 outside

snmp-server host outside 2.2.2.104 poll community boogers

snmp-server host outside 2.2.2.98 poll community boogers

snmp-server host outside 2.2.2.252 poll community boogers

snmp-server location Data Center

no snmp-server contact

snmp-server community boogers

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

 type echo protocol ipIcmpEcho 3.3.3.162 interface phoneco

 num-packets 3

 frequency 10

sla monitor schedule 123 life forever start-time now

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 2.2.2.104 255.255.255.255 outside

ssh 2.2.2.4 255.255.255.255 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server outside 2.2.2.2 voip.cfg

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect xdmcp 

  inspect sip  

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:b48638f7be1f3b87ac793ee2e5acf547

: end

Open in new window

0
Comment
Question by:claytarget
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

Did you upgraded the memory of your ASA, the 8.2(1) experience of love, if there are some 512M of memory!



http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html


Best Regards,
Istvan
0
 

Author Comment

by:claytarget
Comment Utility
Already have 512M ram in the ASA
0
 
LVL 8

Expert Comment

by:pgolding00
Comment Utility
what does the asa logs show is happening with all the sessions? i would expect you are seeing lots of torn down half open due to time-out messages?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
had you tried to downgrade back 8.1.3 ?
0
 

Accepted Solution

by:
claytarget earned 0 total points
Comment Utility
Discovered (after several rather ugly phone conferences) that the provider changed several settings on their end which caused the problem.

After finding out about the changes, we were able to reconfigure our equipment appropriately.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now