SIP inspect and PJSIP

Similar Messages

• SIP Inspection and dynamic port opening after re-invite

  Platform: ASA 8.3(2)
  Hello,
  I have SIP devices along with SipTrunk and media endpoints. I am having issues with the ASA not dynamically opening (sip inspect enabled) UDP ports for RTP after a SIP re-invite causes the media endpoints to change within SDP.
  The problem as below.
  Initial SIP invite setups properly with ports dynamically opened between the media endpoints in the ASA
  Re-inivite from the SIP device causes the media endpoints to change within the SDP
  ASA blocks ports associated to the new media endpoints
  I can resolve this by allowing the ports in the ACL, but suprised this is not working as re-invites to change media endpoints is to be expected in SIP conversation.
  Regards,
  AJ

  Below is the script you can use to reproduce this. Points worth mentioning.
  Initial invite sets up the media between SIP Trunk and a media device ( 10.1.2.150) in the inside network, SIP signalling will be with 10.1.2.100. At this poit RTP flows freely between the SIP Trunk and the media device.
  If the call is fax, a re-invite will occur and this will cause the IP address to change in the SDP. The new media endpoint becomes 10.1.2.151 (This device is SIP and Media (T38) capable).
  For every SIP call we establish 10.1.2.150 will be used for media, we do not want to change this behaviour.
  ASA 8.3 (2)
  conf t
  interface Ethernet0/0
  nameif Inside_Voice
  security-level 100
  ip address 10.1.2.11 255.255.255.0 standby 10.1.2.12
  exit
  interface Ethernet0/1
  nameif Outside_SIP_Trunk
  security-level 0
  ip address 10.1.60.254 255.255.255.0 standby 10.1.60.253
  exit
  object-group network SIP_trunks
  network-object 1.2.3.0 255.255.255.0
  exit
  object-group service SIP_service
  service-object tcp destination eq sip
  service-object udp destination eq sip
  exit
  object-group network SIP_inside_servers
  network-object host 10.1.2.100
  exit
  access-list Outside_SIP_in extended permit object-group SIP_service object-group SIP_trunks object-group SIP_inside_servers
  access-group Outside_SIP_in in interface Outside_SIP_Trunk
  route Outside_SIP_Trunk 0.0.0.0 0.0.0.0 10.1.60.1
  class-map inspection_default
  match default-inspection-traffic
  exit
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  lass class-default
  set connection decrement-ttl
  exit
  service-policy global_policy global
  end

• SIP inspection on ASA cluster

  Hi 
  I have set up clustering on 2 ASA 5555-x firewalls and just saw on the cisco site that SIP inspection is not supported. My organization provides a voip solution that requires SIP. Does anyone know a work around for SIP on an ASA cluster?
  I look forward to your response.

  Hi Smetieh,
  You need a policy inspection for sip, please follow the example below.
  class-map cls-SIP
   match default-inspection-traffic
  policy-map pmap-SIP
   description My-SIP Policy
   class cls-SIP
    inspect sip 
  service-policy pmap-SIP interface outside
  Hope this helps.
  Thanks
  Rizwan Rafeek.

• SIP Inspection Required

  Hi everyone,
  Do I need to enable SIP inspection as per this article?
  We're trying a proof-of-concept install for the Cisco Mobile iPhone client and the Cisco Cius, since we do not have any corporate WiFi we're utilising the AnyConnect clients that are available on both via our ASA5510 appliances that are running 8.3(1). However, we are unable to make calls via the VPN and find that the call initially rings but the call isn't fully setup when answered (The calling side will just continue to ring).
  I'm seeing TCP connections (See attached syslog messages) being denied for port 5060 on the basis that there is no existing connection as the previous TCP connection is torn down. Hoping I can get some confirmation here before giving it a go.
  Thanks,
  Mark

  Mark,
  Normally you do not need to have inspection over VPN:
  1) Typically you do not have NAT over VPN (typically!)
  2) All the traffic is allowed over VPN by default (there is a sysopt for VPN traffic to ignore ACLs)
  Now if it really is a problem of inspection, it's hard to say.
  Did you try skinny instead of SIP? (Just out of curiosity).
  Marcin

• In process Inspection and Rework Qty Issue

  Hi,
  There is Production Order for 100 qty.  There are 5 in process operations like 0010 Cutting, 0020 Welding, 0030 Inspection, 0040 turning, and 0050 Inspection
  (1)0010 operation is finished by production for 50 qty and confirmed through co11n by entering yield as 50 qty.
  (2)0020 operation is finished by production for 50 qty and confirmed through co11n by entering yield as 50 qty.
  (3)0030 operation: Quality inspected and entered results as 25 as yield and 25 as rework. For defects Q3 notification is
       triggered.( ie CO11N transaction is called in QM)
  (4)Production opened rework order CO07 and confirmed the rework operation and booked material and labor cost on cost
       center instead of orginal order.
  (5)0040: Operation production could confirm only 25 qty as earlier 0030 operation of inspection  yield was only 25 qty.
  (6)Inspection already in 0030 operation 25 qty  was entered as rework. Now after rework how results recording will be done 
       and qty will be posted in yield. Unless yield is entered under 0030 operation for 25 qty , production cannot confirm the 0040
       operation for pending 25qty.
  (7)Business requirement is what ever the qty production manufactures it has to be entered in system. Based on quality
       inspection incentive will be paid to only qty which is passed by quality.
  Settings Made:
  (a)100 Free Inspection, No Qty Relation, Quantity Valuation and Confirmation in Production for only inspection work center
       without any cost capturing.
  (b)Confirmation parameters settings with error for over and under delivery tolerance, error if inspection sequence not adhered,
       error message if no inspection results exists
  Any suggestion or any other way of handling this requirement.
  Thanks & Regards,
  RSR

  Hi RSR,
  Your way of mapping is absolutely fine, few points to be clear...
  03 inpection type and enable inspection characterisitics for operation 030
  04 inspeciton type to be enabled and operation 050 shall be eliminated if possible, material stock posting will be done from 04 inspection lot for 25 nos.
  let me know if you have questions..
  regards,
  Lenin. A

• How the returm stock will be posted to quality inspection and in unrestrict

  Hi Friends,
                    Hi frns I am SD Consultant and little knowledge about MM,so i need your help.I make a return cycle in SD.while doing MMBE (stock check) Return stock is posted in return coulm.how can it be tranfered to quality inspection and from there to unrestricted.
  Regards.

  hi,
  check add Inspection Type field value in the material master records QM view ...if not provide then enter...and then try..
  Regards
  Priyanka.P

• How would I request skype for two sip domains and one edge

  I have a could logistic questions.
  scenario:
  1 edge server : lync-edge-access.domain1.com (fqdn of access server)
  2 sip domains: domain1.com and domain2.com
  public certificate with SN: lync-edge-access.domain1.com as well as all of the SAN's including sip.domain1.com and sip.domain2.com
  3 A records with the same IP: sip.domain1.com, sip.domain2.com, lync-edge-access.domain1.com.
  2 srv records pointing to sip.domain1.com and sip.domain2.com on port 5061. (since they have the same IP as lync-edge-access.domain1.com and that servers certificate has names for all of them I figure this is a correct method to set them up.
  My first question was when I requested my federation with Skype via Microsoft with my license agreement number it asked me for the fqdn of my access edge server. I figured this would be lync-edge-access.domain1.com. It then asked me for my sip domains and
  I added two, domain1.com and domain2.com. Did I do this correctly or should I have put in two requests, one for fqdn of sip.domain1.com and sip domain of domain1.com and one for sip.domain2.com and domain domain2.com. Or should I change my srv records to both
  point to lync-edge-access.domain1.com?
  Currently when I am looking for contacts in Skype I cant find my accounts and vice versa if I add an account in lync for Skype it just reports offline. so I figure I did something wrong with my logic above. I can easily request an update but I want to make
  sure I get it right this time.
  Thanks
  Loren
  Loren Hudson

  Hi Loren
  As far as I know, you could add one or more SIP domain names at the same time.
  To initiate the provisioning process for Lync-Skype connectivity:
  1.Sign in to the website, https://pic.lync.com, using your Microsoft Windows Live ID.
  2.Select the Microsoft licensing agreement type.
  3.Select the check box, verifying that you have read and accept the Product Use Rights for Lync Server.
  4.On the Initiate a Provisioning Request page, click the appropriate link to initiate a provisioning request:
  5.On the Specify Provisioning Information page, enter the Access Edge service FQDN. For example, accessedge.contoso.com.
  6.Enter at least one or more SIP domain names, and then click Add.
  7.In the list of
  Public IM Service providers, select
  Skype, and click
  Next to add contact information, and submit the provisioning request.
  Click the link below for more information.
  Accessing the Lync Server public IM connectivity provisioning site from Lync Server 2013
  http://technet.microsoft.com/en-us/library/dn440174.aspx
  Hope it can be helpful.
  Best regards,
  Eric

• Ip inspect and blocking

  Hello
  My config:
  ip inspect name CBAC tcp timeout 10
  ip inspect max-incomplete high 100
  int fa0/1
  ip access_group permit_all in
  int fa 0/2
  ip access_group permit_all in
  ip inspect CBAC in
  Access-list on both interfaces accept all ip traffic.
  What happens when:
  1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?
  2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:
  a) when  packet within this session will be received on fa0/1 it will be accepted ?
  b) when  packet within this session will be received on fa0/2 it will be dropped ?
  3.  When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?
  4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?
  Thanx

  Here are the answers to your questions.
  1. Incoming TCP SYN packet arrives on fa0/1 and TCP session is built. I assume that this session will not be inspected ?
  2. TCP session is initiated from fa0/2 interface. Such session will be inspected - and after 10 seconds of idle:
  a) when packet within this session will be received on fa0/1 it will be accepted ?
  b) when packet within this session will be received on fa0/2 it will be dropped ?
  3. When TCP ACK packet is received on fa0/2 - but there is no session which matches this packet - will it be dropped ?
  4. Only 100 half-opened session are accepted but only when initiated from fa0/2, when initiated from fa0/1 - there is no limit ?
  1. Yes this session will not be inspected.
  2. a) No, after the session has gone idle. it will be removed and the next packet should have the Syn Flag not ACK.
      b) Yes, they will not be dropped.
  3. Yes.
  4. This value is defined globally , not interface wise.
  Puneet

• Inspect and interpret SMB messages

  Hi
  I am replying to an invitation to tender from a customer. They requir a product that will be able to do deep packet inspection and extract SMB events realting to shares and files that are moved or deleted. They also want it to support directory services if possible so that it can report by username !
  Oh and it needs to be able to do it at a full 10Gb and store historical data for a year.
  I can't think of anything that can do this kind of thing. Sure whith a packet capture you could pick out the SMB messages but storing 10Gb/s would involve thousands of terrabytes of storegae for a years worth of data.
  Any ideas on something that can do at least part of this. I was thinking about some kind of Netflow analyser.
  Thanks
  Pat

  Personally, "deep packet inspection" and "10 Gb" bring this appliance solution to mind:
  http://www.netscout.com/docs/datasheets/NetScout_ds_nGenius_InfiniStream.pdf
  "Broad Storage Capabilities
  Configured in a variety of rack-mounted chassis options, storage
  capabilities range from 500 GB to 16 TB. Chassis options vary
  from 1RU appliances to larger systems.
  Interfaces and Speeds
  More than two dozen models are available to accommodate
  deployments across the modern IP network. Monitoring speeds
  range from 10base-T, to Fast Ethernet, to high-speed 10-GbE
  interfaces. Port densities are available in 2-Port, 4-Port, and
  8-Port capture configurations."
  So it doesn't have anywhere near the storage for a full year's worth of data, but then 16TB is the most built-in storage on any network monitoring appliance I've heard of (and apparently the price tag to match). It's also unclear whether it meets some of the other requirements, but I suppose the vendor's professional services might be able to cater to those if the customer has the budget to support those requirements.
  OTOH, as you've pointed out, NetFlow is not deep-packet inspecting, but if that's "good enough" for the purpose, there's at least one hardware-based NetFlow solution capable of scaling up to 10G, http://www.invea-tech.com/products/flowmon, courtsey of this old thread: https://supportforums.cisco.com/message/653987#653987

• Inspect and Inspected field in Record Results:Characteristic overview

  hi,
        Can any one explain me the Inspect and Inspected field in Record Results:Characteristic overview screen. How the sample size is determined in Inspected field during lot creation.
  Muthamil

  Dear Muthamil
  This fully depends on the sampling procedure you choose. for eg if you choose 100% sampling procedure and you have lot quantity of 10 items
  Then inspect will be 10 and inspected will be 10.
  SAP gives the definition for INSPECT as  - Predefined sample size that has to be inspected for an inspection characteristic or a partial sample.
  For each inspection plan characteristic you define the amount by which the inspected sample size in the 'Insp.ed' field can deviate from the to-be-inspected sample size in the 'Inspect' field. If a characteristic (partial sample ) is closed the system checks whether the required sample size is adhered to. The characteristic (partial sample) can only be closed if this is the case.
  But for Scope not fixed, larger , smaller scope the inspected field chages based on the result recording
  SAP gives the definition for INSPECTED as   - Number of sample units that have been inspected for a characteristic or a partial sample.
  Hope this explains
  Regards
  Gajesh

• CUBE - DTMF Interworking between SIP INFO and RFC2833

  Hi all,
  After some testing I noticed that when the cube receives dtmf via SIP INFO it doesn't translate them into rfc2833 on the other side. This happens when the incoming INVITE advertises both SIP INFO and RFC2833.
  When the incoming INVITE advertises only SIP INFO then it does the translation to RFC2833 and sends the digits via RTP on the outgoing interface.
  CUBE supports both RFC2833 and SIP INFO as it advertises both methods in it's sip messages. Is this the expected behaviour ?
  IOS is 15.1(3)T1. CUBE is running on a 3945 router.
  I have found bug CSCuh65102 which seems to be a match. Can somebody confirm this ?

  Hi,
  Please check the following bug
  https://tools.cisco.com/bugsearch/bug/CSCtj93573/?reffering_site=dumpcr
  CUBE not processing DTMF SIP INFO to RFC 2833 upstream to Network
  You can try an upgrade to 15.1(3)T4 or higher and check if the issue is resolved.
  HTH
  Manish

• Edge Inspect and IIS8 Express

  Hi
  Can anyone please tell me whether edge inspect works with IIS8 express, I can see my computer in tab and phone, I can enter password that gets accepted on computer, but I get the error bad request-invalid hostname. I can see public websites if I view another website in chrome, it shows up in the tablet or phone.
  I have tried
  http://localhost:4182/ which crashes edge inspect in htc sensation and samsung tab
  tried http://192.168.1.67:4182/ get bad request
  tried 192.168.1.67:4182/ again bad request.
  Tried turning off firewall but nothing works.
  I'm  using Windows 8 pro, with IIS8 express
  Thanks
  George

  Hi George,
  I'm not familiar with IIS8 Express, but here are a few things to try:
  On another computer on the same network, try going to http://192.168.1.67:4182/ , do you see the page you expect to see on the other computer?
  Browse to http://192.168.1.67:4182/ in Chrome, then click on the button in the upper right corner of the app on your device and choose Open In Browser. That should open the URL in the native browser on your device. What do you see there?
  If neither of those work, the problem is almost certainly that IIS8 Express is not serving content to external computers or devices. That might be a configuration problem or it might be inherent to IIS8 Express. You can either correct the configuration problem or you might try switching over to another web server. I've successfully used both IIS and WAMP with Edge Inspect and local content without any problems.
  Let me know how it goes,
  Mark

• Best scenario to use variable inspection and attributive inspection

  Hello!
  Can anyone help me with a practical example of difference between attributive inspection and variable inspection by s-method? What are the best scenarios to use them repectively?

  variable inspection :Variable inspection is in SAP terms Quantitative inspection means have some value which is variable & can be measured .Examples can be very wide range like say in mechanical companies like auto industry components needs to be inspection in micron with Upper & lower limits.Like 12 mm + 0.001 / - 0.002 etc.
  These could be the scenarios where you need to comply with upper & lower limits.
  Attributive inspection:In SAP terms its Qualitative type means can not be measured but can be derived or compared.Like Go-NoGo gauge,Yes -No ,Pass-Fail etc etc.
  scenarios are mostly in mechanical or Elec industry where such values need to be monitored.Like say A equipment pass or fail in a certain test char. or say a component has surface finish problems etc which can only be seen or compared.

• Application layer inspection and MPF

  Why create other policy map when only once policy map can be used on any interfaces? Why not just use the default policy and add to it? I am trying to understand the application layer inspection and the MPF.

  Hi,
  The default policy will not give you many options due to the "match default-inspection-traffic" in the default class map.
  At the end of it the number of policy maps or usuage or default policy map with additions really depends on user and his/her requirement.
  Regards,
  Vivek

• ASA app layer inspection and CX IPS inspection

  ASA application layer inspection is critical for protocols such as FTP and SIP for well known reasons.  When implementing a CX module, my understanding is that either the ASA implements inspection or the CX implements inspection.  For instance, if I want my CX to inspect HTTP I need to forward that traffic via a policy-map to the CX engine and ensure that the ASA is not configured to inspect HTTP.  Easy enough.
  What I am unclear about is if it is desired for the CX to inspect protocols such as FTP and SIP.  In my case I'm running the CX IPS which does list some FTP and SIP threats.  If I direct this traffic to the CX for IPS inspection, where would the app layer inspection occur for processing SIP embedded IP addresses or FTP secondary channels?  Or, is it necessary to ensure these protocols remain inspected by the ASA?  Finally, does the answer change for the WSE license?   

  Hogoqo,
  Thanks for the reply. Does this config mean that "default-inspection-traffic" will not be sent to the IPS module?
  What I initially wanted was to send ALL traffic to the IPS module, and also use statefull inspection for the default-inspection-traffic.
  Is this a bad practice (to send all traffic to the IPS module)?
  The ASA is configured with 3 interfaces (inside, outside, dmz), with an e-mail server in the DMZ. In the future, there will also be e-commerce servers in the DMZ.
  Should I send to the IPS module only traffic that has the destination as one of the DMZ servers?
  I am new to IPS, and kind of confused.
  Thanks!