Limitations And Restrictions - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
CTIQBE Inspection
Limitations and Restrictions
The following summarizes limitations that apply when using CTIQBE application inspection:
•
•
•
The following summarizes special considerations when using CTIQBE application inspection in specific
scenarios:
•
•
•
Verifying and Monitoring CTIQBE Inspection
The show ctiqbe command displays information regarding the CTIQBE sessions established across the
security appliance. It shows information about the media connections allocated by the CTIQBE
inspection engine.
The following is sample output from the show ctiqbe command under the following conditions. There
is only one active CTIQBE session setup across the security appliance. It is established between an
internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco
CallManager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for
the session is 120 seconds.
hostname# # show ctiqbe
Total: 1
---------------------------------------------------------------
1
The CTI device has already registered with the CallManager. The device internal address and RTP
listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.
Cisco Security Appliance Command Line Configuration Guide
25-10
CTIQBE application inspection does not support configurations with the alias command.
Stateful failover of CTIQBE calls is not supported.
Entering the debug ctiqbe command may delay message transmission, which may have a
performance impact in a real-time environment. When you enable this debugging or logging and
Cisco IP SoftPhone seems unable to complete call setup through the security appliance, increase the
timeout values in the Cisco TSP settings on the system running Cisco IP SoftPhone.
If two Cisco IP SoftPhones are registered with different Cisco CallManagers, which are connected
to different interfaces of the security appliance, calls between these two phones fails.
When Cisco CallManager is located on the higher security interface compared to
Cisco IP SoftPhones, if NAT or outside NAT is required for the Cisco CallManager IP address, the
mapping must be static as Cisco IP SoftPhone requires the Cisco CallManager IP address to be
specified explicitly in its Cisco TSP configuration on the PC.
When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP
port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP
SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not
user-configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.
LOCAL
FOREIGN
10.0.0.99/1117
172.29.1.77/2748
----------------------------------------------
RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 - 1029)
----------------------------------------------
MEDIA: Device ID 27
Foreign 172.29.1.99
Local
172.29.1.88
----------------------------------------------
Chapter 25
Configuring Application Layer Protocol Inspection
STATE
HEARTBEAT
1
Call ID 0
(1028 - 1029)
(26822 - 26823)
120
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
