Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jb_uk
Explorer

Cisco UC Strict SIP Protocol Flow Enforcement

Hi

Our firewall is dropping SIP200 keepalives from a remote Cisco Unified Border Element router 10.10.10.10 to local Cisco Unified Communications Manager 10.20.20.20. A packet capture shows the SIP From: as 10.20.20.20 and SIP To: as 10.10.10.10 (so basically the "wrong" way around - although it's not as this is a response to an OPTIONS PING from CUCM. The firewall (a 5200) is logging Strict SIP Protocol Flow Enforcement (anomaly). Is this a known issue that anyone's encountered? I'm expecting the workaround is just to create an exemption to that traffic. This only started happening in February so I wonder if an IPS definition update caused it...

Many thanks

James

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

These protocol enforcements are usually Inspection Settings (not IPS), which are generally not updated with signatures.
The log card should indicate whether it's actually IPS or not.
That also impacts where you put the exception.
0 Kudos
jb_uk
Explorer

Sorry! I've stated IPS and meant Inspection... brain fog at the end of troubleshooting! What puzzles me most is that it was working fine then suddenly started dropping. My tired mind was thinking that a scheduled IPS update might explain this...

0 Kudos
PhoneBoy
Admin
Admin

The only way those would be updated, as far as I know, would be a JHF installation or version upgrade.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events