ASA and IPOffice 9.0 SIP trunk mystery (no sound for incoming calls after upgrade) 3

[DobriyDed]

Hi all!
Being too slow, just upgraded from 8.0 to 9.0 (9.0.12 1006)
With 8.0 everything works perfect, no problems at all
With 9.0 calls from inside works nice,
BUT calls from outside connects normally .... with no sound in any direction.
No changes in network configuration been made

Configuration is very simple: good old ASA5505
NAT: subnet with IPOffice NATed (dynamic PAT) to wan interface
Firewall:
- hosts from subnet with IPOffice allowed to go anywhere outside
- Host of SIP provider allowed to acceess IPOffice with tcp/udp at port 5060-5061 and icmp

What possibly can cause this weird behaviour Where to start?

Update#1
Just changed ASA to simple ZyXEL USG ..... and its works again. Too bad need to make damn ASA working :-(
Update#2
All licenses looks fine in manager


ASA config:

object network HOST_IN_AVAYA_IPOffice(5.10)
 host 192.168.5.10
 description IPoffice address

object network AVAYA_SIP_PF
 host 192.168.5.10
 description IPoffice address object for portforwarding

object network LAN_OFFICE_05_AVAYA(24)
 subnet 192.168.5.0 255.255.255.0
 description Vlan_AVAYA

access-list wan_access_in extended permit object-group DM_INLINE_SERVICE_4 object SIP_PROVIDER_IP object HOST_IN_AVAYA_IPOffice(5.10) 

object-group service DM_INLINE_SERVICE_4
 service-object tcp-udp destination eq sip 
 service-object icmp 
 service-object udp destination eq 5061 

access-list avaya_access_in extended permit object-group DM_INLINE_SERVICE_1 object LAN_OFFICE_05_AVAYA(24) any4 
access-list Link_access_in extended permit ip object LAN_OFFICE_05_AVAYA(24) any4 

object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq sip

object network AVAYA_SIP_PF
 nat (Link,wan) static interface service udp sip sip 
nat (Link,wan) after-auto source dynamic LAN_OFFICE_05_AVAYA(24) interface dns

class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
   .......
  inspect rtsp 
  inspect sip  
  ........
!
service-policy global-policy global

 

[janni78]

For starters you should not use SIP inspection.
Normally you would also open the IPOs RTP ports for incoming, usually 46750-50750 on IP500, but you can see which are used in the LAN -> VoIP tab.

"Trying is the first step to failure..." - Homer

 

[DobriyDed]

Hi janni78
Turning off sip inspection on ASA device ruins everything, its needed for correct operation
I've updated firewall rule to add RTP and everything else

object service SIP_RTP_UDP
 service udp source range 49152 53246 destination range 49152 53246 
object service SIP_RTP_TCP
 service tcp source range 49152 53246 destination range 49152 53246 

object-group service DM_INLINE_SERVICE_4
 service-object icmp 
 service-object udp destination eq 5061 
 service-object object SIP_RTP_TCP 
 service-object object SIP_RTP_UDP 
 service-object tcp destination eq 5061 
 service-object tcp destination eq sip 
 service-object udp destination eq sip 
 service-object ip

Also added portforward for 5060 to IPOffice

object network AVAYA_SIP_PF
 nat (Link,wan) static interface service udp sip sip 
nat (Link,wan) after-auto source dynamic LAN_OFFICE_05_AVAYA(24) interface dns

Still no luck

Outside calling party didn't hear anything, even wait tones. After dialing, there is complete silence in caller's headset. But the target phone is ringing.
No blocked traffic in firewall logs

And why same configuration works perfectly with 8.0 ????

 

[janni78]

RTP only uses UDP, and TLS only uses TCP.
If the provider uses unencrypted signaling on port 5060 then it can be either TCP or UDP.

If turning off SIP inspection breaks the trunk it's not configured correctly.
You need to use Network Topology in IP Office to send the correct external IP address to the service provider.

"Trying is the first step to failure..." - Homer

 

[teletechman]

how is the SIP trunk configured.
Mike

 

[DobriyDed]

Dear janni78
Thanks for help!
Disabling SIP ALG (inspection) solved problem.

Only trouble is just clearing connection and xlate table on ASA plus merging configuration on IPoffice didn't helped, dunno why.
But in a rage state i've restarted both ASA and IPO and a miracle happened!

 

[teletechman]

use should give a start for a good answer.

 

[DobriyDed]

Seems ASA image 9.1.6 SIP alg is broken, according to this

https://support.onsip.com/hc/en-us/articles/203706674-Cisco-ASA-5505

Useful links that helped me in this case and little SIP registration timeout problem:
How to configure a cisco ASA 5505 for voip
How to resolve one way or no way audio on voip calls
How to troubleshoot one way and no way audio on voip calls
CISCO firewalls sip registration timing out(may require registration)
CISO NAT in VoIP manual, ALG section
NAT and Firewall Traversal Recommendation
(RUSSIAN) Closing SIP dead peers

Hope it helps you too

P.S. looking for a way to download files from AVAYA

https://support.avaya.com/downloads/

, PM me if you can help, please

Update: Oh, its no PM here? whaaaat?