troubleshooting Question

VoIP quit working through Cisco ASA 5506-X

Avatar of CompProbSolv
CompProbSolvFlag for United States of America asked on
Voice Over IPDNSCisco
1 Comment1 Solution47 ViewsLast Modified:
I have a client who has been using VoIP through a Cisco ASA 5506-x for a while and has run into a major problem.  For no obvious reason (no recent configuration changes or firmware updates), the phones became unable to communicate with the CO.  I'm not seeing anything in the rules to prevent this.  Other than enabling QoS (which I've also disabled as a test), there's really not much special going on in the ASA configuration.  No VLANs and no complicated rules.  There is a separate subnet on a different physical port on the ASA.

As a test, I replaced the ASA with a simple router and they worked.  I take this to rule out a change at the ISP as the cause.

I watched traffic and saw a number of rejections of some ICMP packets, so I allowed them and those errors went away, but the phones still don't connect.

I did some further watching and noticed the following sequence looking at outgoing traffic from the phone at 192.168.113.110.  I've replaced our actual Outside IP with "OutsideIP", the phone provider's CO IP with "PhoneCO", and have added my comments about what I think is being done.  I also reversed the order, so the oldest is first:

Phone makes a connection to our DNS server (UDP port 53) at 192.168.113.100:
6|||302015|192.168.113.100|52546|192.168.112.252|53|Built inbound UDP connection 10506 for inside_113:192.168.113.100/52546 (192.168.113.100/52546) to inside:192.168.112.252/53 (192.168.112.252/53)

Connection is torn down right away:
6|||302016|192.168.113.100|52546|192.168.112.252|53|Teardown UDP connection 10506 for inside_113:192.168.113.100/52546 to inside:192.168.112.252/53 duration 0:00:00 bytes 72

Phone makes a DNS connection to our Outside IP address:
6|||305011|192.168.113.100|26266|OutsideIP|26266|Built dynamic TCP translation from inside_113:192.168.113.100/26266 to outside:OutsideIP/26266

Phone makes a TCP connection to the CO.  I notice that this is using the same translated port 26266 as the connection immediately prior:
6|||302013|192.168.113.100|26266|PhoneCO|443|Built outbound TCP connection 10510 for outside:PhoneCO/443 (PhoneCO/443) to inside_113:192.168.113.100/26266 (OutsideIP/26266)

The connection is torn down right away.
6|||305012|192.168.113.100|26266|OutsideIP|26266|Teardown dynamic TCP translation from inside_113:192.168.113.100/26266 to outside:OutsideIP/26266 duration 0:00:00

Connection to the PhoneCO is denied as the connection using translated port 26266 was just torn down:
6|||106015|192.168.113.100|26266|PhoneCO|443|Deny TCP (no connection) from 192.168.113.100/26266 to PhoneCO/443 flags RST ACK  on interface inside_113


Am I correct to conclude that the "Deny TCP" is because the connection reused the translated port 26266 and is the likely reason the phone can't communicate with the CO?  If so, how do I resolve the issue?

Thank you in advance for assistance with this.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 1 Comment.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros