chris crosby
asked on
ASA 5505 / internet / SIP question
I work in a hospital. We use the Stratus iPad app for interpretation. We have a guest internet circuit that these iPads are on. The circuit was recently upgraded from 35 Mbps to 100 Mbps. No other changes that i know of. Around that time the Stratus app stopped connecting. There is an asa 5505 on this circuit, but only default config is enabled.
I took the ipad home and the app worked fine on my home wifi. I ahve contacted the vendor and our ISP. Both claim it must be a firewall issue, but nothing has changed. Any ideas?
I took the ipad home and the app worked fine on my home wifi. I ahve contacted the vendor and our ISP. Both claim it must be a firewall issue, but nothing has changed. Any ideas?
You need to contact the network admin of guest internet circuit of your hospital.
My guess is that the network admin did "upgrade" the firewall when there is an upgrade of the guest internet circuit.
My guess is that the network admin did "upgrade" the firewall when there is an upgrade of the guest internet circuit.
ASKER
Thanks for the replies -
@Eoin - Yes, all other tested internet / video applications work. I have the tech doc from stratus and it is a wide range of IPs that it may connect to, not a specific URL. All of that is embedded in the app. I don't really have any monitoring apps at home, but I will try to come up with something toight.
@Jackie - I am basically the admin of that circuit - firewall config is handled by an offsite 3rd party that requires a change request to make any changes. I have also been in touch with them just to be sure and no changes were made. Below is the security config of the ASA - I have been reading up on SIP inspection and how some applications require it, while others need it turned off. I am thinking maybe submit a change request to turn it off to see, but that takes a week and then if no change I'll have to submit a request to change it back. I'm not dealing with particularly helpful people on that side.
boot system disk0:/asa822-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 <> timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
snmp-server location <>
snmp-server contact <>
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 192.168.32.6 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <> password s6x5afD9Alo2bY8C encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
@Eoin - Yes, all other tested internet / video applications work. I have the tech doc from stratus and it is a wide range of IPs that it may connect to, not a specific URL. All of that is embedded in the app. I don't really have any monitoring apps at home, but I will try to come up with something toight.
@Jackie - I am basically the admin of that circuit - firewall config is handled by an offsite 3rd party that requires a change request to make any changes. I have also been in touch with them just to be sure and no changes were made. Below is the security config of the ASA - I have been reading up on SIP inspection and how some applications require it, while others need it turned off. I am thinking maybe submit a change request to turn it off to see, but that takes a week and then if no change I'll have to submit a request to change it back. I'm not dealing with particularly helpful people on that side.
boot system disk0:/asa822-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 <> timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
snmp-server location <>
snmp-server contact <>
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 192.168.32.6 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <> password s6x5afD9Alo2bY8C encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Something else changed. When unauthorized changes get made, nobody is going to confess to them. Did they make a backup before the upgrade? Try to have them restore to that and see if issues suddenly go away.
Just as importantly, compare the configurations from before and after the upgrades. That should give you the best idea.
Just as importantly, compare the configurations from before and after the upgrades. That should give you the best idea.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: Jackie Man (https:#a42441106)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
FireRunt
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: Jackie Man (https:#a42441106)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
FireRunt
Experts-Exchange Cleanup Volunteer
So I assume the apps are by this company - https://www.stratusvideo.com
Excuse me if I state anything obvious you've already tried but it would be useful to know
1. When on the Hospital network can the iPads connect to the Internet in all other respects? Safari and Mail all work OK? What about apps which use video such as YouTube?
2. When on the hospital network .. do you know the URL/IP address that the Stratus app is trying to connect to? Can you identify the traffic from devices - or when on your home network can you use the router or network tools to identify the traffic?