Avatar of CompProbSolv
CompProbSolvFlag for United States of America

asked on 

VoIP quit working through Cisco ASA 5506-X

I have a client who has been using VoIP through a Cisco ASA 5506-x for a while and has run into a major problem.  For no obvious reason (no recent configuration changes or firmware updates), the phones became unable to communicate with the CO.  I'm not seeing anything in the rules to prevent this.  Other than enabling QoS (which I've also disabled as a test), there's really not much special going on in the ASA configuration.  No VLANs and no complicated rules.  There is a separate subnet on a different physical port on the ASA.

As a test, I replaced the ASA with a simple router and they worked.  I take this to rule out a change at the ISP as the cause.

I watched traffic and saw a number of rejections of some ICMP packets, so I allowed them and those errors went away, but the phones still don't connect.

I did some further watching and noticed the following sequence looking at outgoing traffic from the phone at  I've replaced our actual Outside IP with "OutsideIP", the phone provider's CO IP with "PhoneCO", and have added my comments about what I think is being done.  I also reversed the order, so the oldest is first:

Phone makes a connection to our DNS server (UDP port 53) at
6|||302015||52546||53|Built inbound UDP connection 10506 for inside_113: ( to inside: (

Connection is torn down right away:
6|||302016||52546||53|Teardown UDP connection 10506 for inside_113: to inside: duration 0:00:00 bytes 72

Phone makes a DNS connection to our Outside IP address:
6|||305011||26266|OutsideIP|26266|Built dynamic TCP translation from inside_113: to outside:OutsideIP/26266

Phone makes a TCP connection to the CO.  I notice that this is using the same translated port 26266 as the connection immediately prior:
6|||302013||26266|PhoneCO|443|Built outbound TCP connection 10510 for outside:PhoneCO/443 (PhoneCO/443) to inside_113: (OutsideIP/26266)

The connection is torn down right away.
6|||305012||26266|OutsideIP|26266|Teardown dynamic TCP translation from inside_113: to outside:OutsideIP/26266 duration 0:00:00

Connection to the PhoneCO is denied as the connection using translated port 26266 was just torn down:
6|||106015||26266|PhoneCO|443|Deny TCP (no connection) from to PhoneCO/443 flags RST ACK  on interface inside_113

Am I correct to conclude that the "Deny TCP" is because the connection reused the translated port 26266 and is the likely reason the phone can't communicate with the CO?  If so, how do I resolve the issue?

Thank you in advance for assistance with this.
CiscoDNSVoice Over IP

Avatar of undefined
Last Comment
Avatar of CompProbSolv
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo