Firewalls. Love them or hate them, they’re a massive part in any Skype deployment and you’re going to encounter one wherever you go.
A customers Skype pool uses a direct Mediation to Carrier SIP trunk to deliver PSTN connectivity to their Skype environment. The service doesn’t require an SBC, and connects over the internet to the mediation server.
Since implementing the solution, the customer had been reporting that inbound calls had been failing intermittently.
First stop: Firewall.
Checking the logs, the firewall was reporting the following when ever an inbound call that was failing to reach the mediation server was made:
“Deny TCP (no connection) from flags PSH ACK”
I noticed that this deny only appeared in the firewall logs during a failed inbound call.
Next Stop: Mediation Server
Spinning up Wireshark, I could see that during a failed call no SIP packets were reaching the mediation servers external NIC. This lead me to believe the issue was firewall related.
I’m looking at you, Firewall.
After checking.. and checking.. and checking that the correct firewall ports were opened on the firewall, I turned my attention to the SIP INSPECT rule on the firewall.
CISCO ASA’s are notorious for corrupting incoming SIP packets as they are inspected, and so the advice is to enable SIP inspection for SIP TCP traffic on what ever port your mediation server listens on (in this case, 5060).
SIP INSPECT had been turned on for SIP TCP traffic on port 5060, but this didn’t seem to solve the issue.
The solution? Enable Send reset to TCP endpoints before timeout and lower the Connection Timeout from 1 hour (default) to 30 minutes within the Connection settings tab, under Rule Actions of the Service Policy Rule for SIP
Doing so allows the ASA to send a RESET command to the endpoint should the connection drop.
Once configured, don’t forget to save the config!