A few reasons that can cause a SIP REGISTRATION or failures
- bad sip domain specified at the client
- username incorrect ( SIP register name = Sip.To )
- bad sip account password
- the firewall filtering your protocol and ports ( TCP|UDP port5060/5061 )
- ALG not enabled nor fixing up the SIP header
- lack of re-REGISTERs or lack of SIP-KeepAlives
- severe packet lost preventing registering ( not common but could happen )
- you have trip the max registers per client or some Admission controls thresholds ( usually this is set at the SIP provider server/proxy )
Now the firewall plays an important process. It must fixup the SIP REGISTER and mask the SESSION details to match your public SNAT address if NAT is enabled between the UAC and UAS.
Obviously you must have firewall policies that allows the traffic outbound from your client to the sip server to begin with.
NOTE: With the call centric the protocol for registering is done via SIP using defector udp/5080. Some clients will revert to TCP and even to ports 5060 |5061 as an alternative but you need to double each client and what the SIP provider is expecting. In my X-lite and Callentric they use 5080 which is typically the default for Sip clients that uses proxy-registration versus a sip trunk Carrier which hardly uses SIP-REGISTERs.
For "Bad" authentication , is actually easy to determine if this has happen by monitoring the SIP status-codes between client and server.
1 9.698676 10.200.41.89 -> 220.127.116.11 SIP 610 Request: REGISTER sip:callcentric.com (1 binding) |
2 9.941065 18.104.22.168 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required |
3 9.942312 10.200.41.89 -> 22.214.171.124 SIP 811 Request: REGISTER sip:callcentric.com (1 binding) |
4 10.186344 126.96.36.199 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication |
5 15.373261 10.200.41.89 -> 188.8.131.52 SIP 610 Request: REGISTER sip:callcentric.com (1 binding) |
6 15.633247 184.108.40.206 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required |
7 15.635155 10.200.41.89 -> 220.127.116.11 SIP 811 Request: REGISTER sip:callcentric.com (1 binding) |
8 15.883003 18.104.22.168 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication |
9 27.379048 10.200.41.89 -> 22.214.171.124 SIP 610 Request: REGISTER sip:callcentric.com (1 binding) |
10 27.626802 126.96.36.199 -> 10.200.41.89 SIP 553 Status: 407 Proxy Authentication Required |
11 27.628884 10.200.41.89 -> 188.8.131.52 SIP 811 Request: REGISTER sip:callcentric.com (1 binding) |
12 27.894571 184.108.40.206 -> 10.200.41.89 SIP 386 Status: 403 Incorrect Authentication |
NOTE: It doesn't tell you what was wrong other than your authentication was incorrect. It could have been username, password or both, remember the server & client are using a cryptographic nonce to ensure the password is hash to a value that can't be replayed. So if the domain is correct, just rekey the username and password
Now with the cisco ASA, all we need to do is to ensure our policy-map has sip inspection enabled and to ensure it's applied globally or on the interface.
Here's a typical ASA policy-map cfg;
inspect h323 h225
inspect h323 ras
inspect icmp error
inspect dns preset_dns_map
You can use the following show commands to confirm inspect for SIP;
show service-policy inspect sip table
And for monitoring any flows
show conn protocol udp port 5060-5061 long
show conn protocol tcp port 5060-5061 long
show conn protocol udp port 5080 long
And you can monitor the expiration and refresh to get an ideal of how long your sessions are up and when they refresh, this should match the SIP keepalives intervals for the UAC
UDP EXTERNAL02: 220.127.116.11/5080 (18.104.22.168/5080) TRUST01: 10.200.41.89/55589 (22.214.171.124/55589), flags - , idle 1s, uptime 8m18s, timeout 1m0s, bytes 17115
A few other items to think about, do you need 1> SIP re-REGISTER and 2>KEEPALIVES. The answer for this really depends.
But SIP keepalives will ensure the firewall NAT/SESSION table stays active and does not expire from the session list. It never hurts to enable a reason SIP session timer. You can also get by with increase sessions timeout in the cisco ASA for SIP for the session table
The show run timeout cmd will provide you an ideal for SIP sessions values
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
The choice is all yours on what you need to do, but be aware of the few listed issues that effects SIP registering and how your Cisco ASA fits into the picture.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=