I have a client who has been using VoIP through a Cisco ASA 5506-x for a while and has run into a major problem. For no obvious reason (no recent configuration changes or firmware updates), the phones became unable to communicate with the CO. I'm not seeing anything in the rules to prevent this. Other than enabling QoS (which I've also disabled as a test), there's really not much special going on in the ASA configuration. No VLANs and no complicated rules. There is a separate subnet on a different physical port on the ASA.
As a test, I replaced the ASA with a simple router and they worked. I take this to rule out a change at the ISP as the cause.
I watched traffic and saw a number of rejections of some ICMP packets, so I allowed them and those errors went away, but the phones still don't connect.
I did some further watching and noticed the following sequence looking at outgoing traffic from the phone at 192.168.113.110. I've replaced our actual Outside IP with "OutsideIP", the phone provider's CO IP with "PhoneCO", and have added my comments about what I think is being done. I also reversed the order, so the oldest is first:
Phone makes a connection to our DNS server (UDP port 53) at 192.168.113.100:
6|||302015|192.168.113.100|52546|192.168.112.252|53|Built inbound UDP connection 10506 for inside_113:192.168.113.100/52546 (192.168.113.100/52546) to inside:192.168.112.252/53 (192.168.112.252/53)
Connection is torn down right away:
6|||302016|192.168.113.100|52546|192.168.112.252|53|Teardown UDP connection 10506 for inside_113:192.168.113.100/52546 to inside:192.168.112.252/53 duration 0:00:00 bytes 72
Phone makes a DNS connection to our Outside IP address:
6|||305011|192.168.113.100|26266|OutsideIP|26266|Built dynamic TCP translation from inside_113:192.168.113.100/26266 to outside:OutsideIP/26266
Phone makes a TCP connection to the CO. I notice that this is using the same translated port 26266 as the connection immediately prior:
6|||302013|192.168.113.100|26266|PhoneCO|443|Built outbound TCP connection 10510 for outside:PhoneCO/443 (PhoneCO/443) to inside_113:192.168.113.100/26266 (OutsideIP/26266)
The connection is torn down right away.
6|||305012|192.168.113.100|26266|OutsideIP|26266|Teardown dynamic TCP translation from inside_113:192.168.113.100/26266 to outside:OutsideIP/26266 duration 0:00:00
Connection to the PhoneCO is denied as the connection using translated port 26266 was just torn down:
6|||106015|192.168.113.100|26266|PhoneCO|443|Deny TCP (no connection) from 192.168.113.100/26266 to PhoneCO/443 flags RST ACK on interface inside_113
Am I correct to conclude that the "Deny TCP" is because the connection reused the translated port 26266 and is the likely reason the phone can't communicate with the CO? If so, how do I resolve the issue?
Thank you in advance for assistance with this.