Cisco Systems ASA 5505, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA 5580, ASA Services Module manual 21-10

Chapter 21 Configuring Cisco Intercompany Media Engine Proxy

Guidelines and Limitations

•Having Cisco UCMs on more than one of the ASA interfaces is not supported with the Cisco Intercompany Media Engine Proxy. Having the Cisco UCMs on one trusted interface is especially necessary in an off path deployment because the ASA requires that you specify the listening interface for the mapping service and the Cisco UCMs must be connected on one trusted interface.

•Multipart MIME is not supported.

•Only existing SIP features and messages are supported.

•H.264 is not supported.

•RTCP is not supported. The ASA drops any RTCP traffic sent from the inside interface to the outside interface. The ASA does not convert RTCP traffic from the inside interface into SRTP traffic.

•The Cisco Intercompany Media Engine Proxy configured on the ASA creates a dynamic SIP trunk for each connection to a remote enterprise. However, you cannot configure a unique subject name for each SIP trunk. The Cisco Intercompany Media Engine Proxy can have only one subject name configured for the proxy.

Additionally, the subject DN you configure for the Cisco Intercompany Media Engine Proxy match the domain name that has been set for the local Cisco UCM.

•If a service policy rule for the Cisco Intercompany Media Engine Proxy is removed (by using the no service policy command) and reconfigured, the first call traversing the ASA will fail. The call fails over to the PSTN because the Cisco UCM does not know the connections are cleared and tries to use the recently cleared IME SIP trunk for the signaling.

To resolve this issue, you must additionally enter the clear connection all command and restart the ASA. If the failure is due to failover, the connections from the primary ASA are not synchronized to the standby ASA.

•After the clear connection all command is issued on an ASA enabled with a UC-IME Proxy and the IME call fails over to the PSTN, the next IME call between an originating and terminating SCCP IP phone completes but does not have audio and is dropped after the signaling session is established.

An IME call between SCCP IP phones use the IME SIP trunk in both directions. Namely, the signaling from the calling to called party uses the IME SIP trunk. Then, the called party uses the reverse IME SIP trunk for the return signaling and media exchange. However, this connection is already cleared on the ASA, which causes the IME call to fail.

The next IME call (the third call after the clear connection all command is issued), will be completely successful.

Note This limitation does not apply when the originating and terminating IP phones are configured with SIP.

•The ASA must be licensed and configured with enough TLS proxy sessions to handle the IME call volume. See “Licensing for Cisco Intercompany Media Engine” section on page 21-8for information about the licensing requirements for TLS proxy sessions.

This limitation occurs because an IME call cannot fall back to the PSTN when there are not enough TLS proxy sessions left to complete the IME call. An IME call between two SCCP IP phones requires the ASA to use two TLS proxy sessions to successfully complete the TLS handshake.

Assume for example, the ASA is configured to have a maximum of 100 TLS proxy sessions and IME calls between SCCP IP phones establish 101 TLS proxy sessions. In this example, the next IME call is initiated successfully by the originating SCCP IP phone but fails after the call is accepted by the terminating SCCP IP phone. The terminating IP phone rings and on answering the call, the call hangs due to an incomplete TLS handshake. The call does not fall back to the PSTN.

Cisco ASA Series Firewall ASDM Configuration Guide

21-10