TCP connection resets on PIX 501

Discussion in 'Cisco' started by Crumb, Oct 12, 2006.

  1. Crumb

    Crumb Guest


    I have to start by saying sorry for asking for help as I am not a Cisco
    guy and have no Cisco knowledge

    A work for a company that is using A VoIP application across two sites
    connected via Cisco PIX 501

    For the most of the time every thing is working fine but from time to
    time we get one way transmission on the handsets. The VoIP vendor is
    saying the problem is due to the PIX configuration but my maintainer of
    the PIX units is not the best and seems to not know what he is doing.

    Here is what the VoIP vendor is saying:

    The phones establish an H323 connection at logon time through which the
    mediastreaming is switched on/off on call activity on the phone. The
    special thing is here, that the RTP/RTCP ports that are negotiated at
    logon time are always used by the phone over all calls. The Phone
    controller relies on this behavior of the phones. The traceline
    indicates that the H323 negotiation (done in the context of a call)
    returned ports that are different of the ports negotiated at logon

    The typical failure on the user interface is that the phone cannot
    hear, but is heard by the peer.

    The H323 connection maintains two TCP connections between Phone
    controller and phone. What you see with the Pix VPN is that this device
    monitors and controls TCP connections such that a TCP connection is
    terminated after a certain time with no traffic on that connection. The
    PIX firewall sends in that case TCP RESET packets to both sides of the
    TCP connection. The Phone Controller immediately reestablishes the
    associated H323 connection and find the phone wants to use different

    You can configure the PIX firewall to not do terminate the TCP

    Here is the running configuration on the PIX

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password encrypted
    passwd encrypted
    hostname PIX15
    domain-name ****************
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    no fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list 120 permit ip
    access-list 130 permit ip
    access-list 140 permit ip
    access-list 150 permit ip
    access-list 100 permit ip
    access-list 100 permit ip
    access-list 100 permit ip
    access-list 100 permit ip
    pager lines 24
    logging on
    logging host outside 80.229.XXX.XXX
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.XXX
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm location inside
    pdm location XXX.XXX.XXX.XXX outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 netmask
    nat (inside) 0 access-list 100
    nat (inside) 1 0 0
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto map newmap 20 ipsec-isakmp
    crypto map newmap 20 match address 120
    crypto map newmap 20 set peer
    crypto map newmap 20 set transform-set myset
    crypto map newmap 30 ipsec-isakmp
    crypto map newmap 30 match address 130
    crypto map newmap 30 set peer
    crypto map newmap 30 set transform-set myset
    crypto map newmap 40 ipsec-isakmp
    crypto map newmap 40 match address 140
    crypto map newmap 40 set peer
    crypto map newmap 40 set transform-set myset
    crypto map newmap 50 ipsec-isakmp
    crypto map newmap 50 match address 150
    crypto map newmap 50 set peer
    crypto map newmap 50 set transform-set myset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address XXX.XXX.XXX.XXX 66 netmask
    no-xauth no-config-mode
    isakmp key ******** address .XXX.XXX.XXX netmask
    no-xauth no-config-mode
    isakmp key ******** address .XXX.XXX.XXX netmask
    no-xauth no-config-mode
    isakmp key ******** address .XXX.XXX.XXX netmask
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet inside
    telnet inside
    telnet timeout 5
    ssh .XXX.XXX.XXX outside
    ssh inside
    ssh inside
    ssh timeout 60
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40 required
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username s****l password *********
    vpdn enable outside
    terminal width 132
    : end

    Can someone help me as I am now desperate


    Crumb, Oct 12, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Feb 20, 2005
  2. Eggert Ehmke

    strange tcp.rst resets on vip

    Eggert Ehmke, Apr 12, 2006, in forum: Cisco
    Eggert Ehmke
    Apr 12, 2006
  3. Pavel Aronovich
    Pavel Aronovich
    Feb 22, 2004
  4. Crumb
    Oct 12, 2006
  5. brad8720

    Wireless connection always resets

    brad8720, Oct 28, 2007, in forum: Wireless Networking
    Oct 28, 2007

Share This Page