Wednesday, May 20, 2015

SIP registering issues cisco ASA

In this blog we will look at a sip UA client ( X-lite ) and using the call centric services. One of the biggest problems with  SIP clients soft or hardware based ,  involves with the SIP  registrations.

A few reasons that can cause a SIP REGISTRATION or failures
  •  bad sip domain specified at the client
  •  username incorrect ( SIP register name = Sip.To ) 
  •  bad  sip account password
  •  the firewall filtering your protocol and ports ( TCP|UDP port5060/5061 )
  •  ALG not enabled  nor fixing up the SIP header
  • lack of re-REGISTERs or lack of SIP-KeepAlives
  • severe packet lost preventing registering ( not common but could happen )
  • you have trip the max registers per client or some Admission controls thresholds ( usually this is set at the SIP provider server/proxy )
Here's a SIP-register from my X-lite client on my MACOSX client


Now the firewall plays an important process. It must fixup the SIP REGISTER and mask the  SESSION details to match your public SNAT address if NAT is enabled between the UAC and UAS.

Obviously you must have firewall policies that allows the traffic outbound from your client to the sip server to begin with.

NOTE:  With the call centric the protocol for registering is done via SIP using defector udp/5080. Some clients will revert to TCP and even to ports 5060 |5061 as an alternative but you need to double each client and what the SIP provider is expecting. In my  X-lite and Callentric  they use 5080 which is typically the default for Sip clients that uses proxy-registration  versus a sip trunk Carrier which hardly uses SIP-REGISTERs.


For "Bad" authentication , is actually easy to determine if this has happen by monitoring  the SIP status-codes between client and server.


1   9.698676 10.200.41.89 -> 204.11.192.22 SIP 610 Request: REGISTER sip:callcentric.com  (1 binding) | 
  2   9.941065 204.11.192.22 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required | 
  3   9.942312 10.200.41.89 -> 204.11.192.22 SIP 811 Request: REGISTER sip:callcentric.com  (1 binding) | 
  4  10.186344 204.11.192.22 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication | 
  5  15.373261 10.200.41.89 -> 204.11.192.22 SIP 610 Request: REGISTER sip:callcentric.com  (1 binding) | 
  6  15.633247 204.11.192.22 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required | 
  7  15.635155 10.200.41.89 -> 204.11.192.22 SIP 811 Request: REGISTER sip:callcentric.com  (1 binding) | 
  8  15.883003 204.11.192.22 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication | 
  9  27.379048 10.200.41.89 -> 204.11.192.22 SIP 610 Request: REGISTER sip:callcentric.com  (1 binding) | 
 10  27.626802 204.11.192.22 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required | 
 11  27.628884 10.200.41.89 -> 204.11.192.22 SIP 811 Request: REGISTER sip:callcentric.com  (1 binding) | 

 12  27.894571 204.11.192.22 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication | 

NOTE: It doesn't tell you what was wrong other than your authentication was incorrect. It could have been username,  password or both, remember the server & client are using a cryptographic nonce to ensure the password is hash to a value that can't be replayed. So if the domain is correct, just  rekey the username and password


Now with the cisco ASA, all we need to do is to ensure our  policy-map has sip inspection enabled and to ensure it's applied globally or on the interface.

Here's a typical ASA policy-map cfg;


policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect icmp 
  inspect icmp error 
  inspect http 
  inspect snmp 
  inspect dns preset_dns_map 
  inspect sip  
 class internal_network
  inspect esmtp 
 class class-default
  inspect pptp 

  user-statistics accounting


You can use the following show commands to confirm inspect for SIP;

show service-policy inspect sip table

And for monitoring any flows

show conn protocol udp port 5060-5061 long
show conn protocol tcp port 5060-5061 long

or

show conn protocol udp port 5080 long

And you can monitor the expiration and refresh to get an ideal of how long your sessions are up and when they refresh, this should match the SIP keepalives intervals  for the UAC

UDP EXTERNAL02: 204.11.192.22/5080 (204.11.192.22/5080) TRUST01: 10.200.41.89/55589 (1.22.11.100/55589), flags - , idle 1s, uptime 8m18s, timeout 1m0s, bytes 17115



A few other items to think about, do you need 1> SIP re-REGISTER and  2>KEEPALIVES. The answer for this really depends.

But  SIP keepalives will ensure the firewall NAT/SESSION table stays active and does not expire from the  session list. It never hurts to enable a reason SIP session timer.  You can also get by with increase sessions timeout in the  cisco ASA for SIP for the session table

The show run timeout cmd will provide you an ideal for SIP sessions values

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


The choice is all yours on what you need to do, but be aware of the few listed issues that effects SIP registering  and how your Cisco ASA fits into the  picture.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \


No comments:

Post a Comment