Cisco ASA Inspection Issues

By default ASA policy matches all default application inspection traffic in order to apply certain inspections to the traffic on all interfaces. Even though not all inspections are enabled by default, this can somehow interfare with your Oracle and Voice Over IP traffic.

Here is a default inspection map from my ASA 5520:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

As you can see, here we are inspecting the sqlnet traffic along with all the sip and h323 traffic. After deploying this ASA5520, my VOIP VPN users started complaining about choppy voice and random disconnects. Also I received complaints from Oracle users that how the SQL Applications were experiencing issues. Well here is how you can go ahead and disable the default global inspection inspection for an application. Just use the “no form” of the command. Also you cannot use “?” for this to get help.

In my case, I went ahead and disabled the following to resolve my VOIP and SQL issues

ASA5520 (config)#policy-map global_policy
ASA5520 (config-pmap)#class inspection_default
ASA5520 (config-pmap-c)#no inspect h323 h225
ASA5520 (config-pmap-c)#no inspect h323 ras
ASA5520 (config-pmap-c)#no inspect sip
ASA5520 (config-pmap-c)#no inspect sqlnet
ASA5520 (config-pmap-c)#no inspect skinny

So technically now the ASA is NOT inspecting the above mentioned traffic. After this change was made, all the users were happy again