Cisco ASA 5505 Configuration Manual page 1016

Guidelines and Limitations
Having Cisco UCMs on more than one of the adaptive security appliance interfaces is not supported
•
with the Cisco Intercompany Media Engine Proxy. Having the Cisco UCMs on one trusted interface
is especially necessary in an off path deployment because the adaptive security appliance requires
that you specify the listening interface for the mapping service and the Cisco UCMs must be
connected on one trusted interface.
Multipart MIME is not supported.
•
Only existing SIP features and messages are supported.
•
RTCP is not supported. The adaptive security appliance drops any RTCP traffic sent from the inside
•
interface to the outside interface. The adaptive security appliance does not convert RTCP traffic
from the inside interface into SRTP traffic.
The Cisco Intercompany Media Engine Proxy configured on the adaptive security appliance creates
•
a dynamic SIP trunk for each connection to a remote enterprise. However, you cannot configure a
unique subject name for each SIP trunk. The Cisco Intercompany Media Engine Proxy can have only
one subject name configured for the proxy.
Additionally, the subject DN you configure for the Cisco Intercompany Media Engine Proxy match
the domain name that has been set for the local Cisco UCM.
If a service policy rule for the Cisco Intercompany Media Engine Proxy is removed (by using the no
•
service policy command) and reconfigured, the first call traversing the adaptive security appliance
will fail. The call fails over to the PSTN because the Cisco UCM does not know the connections are
cleared and tries to use the recently cleared IME SIP trunk for the signaling.
To resolve this issue, you must additionally enter the clear connection all command and restart the
adaptive security appliance. If the failure is due to failover, the connections from the primary
adaptive security appliance are not synchronized to the standby adaptive security appliance.
• After the clear connection all command is issued on an adaptive security appliance enabled with a
UC-IME Proxy and the IME call fails over to the PSTN, the next IME call between an originating
and terminating SCCP IP phone completes but does not have audio and is dropped after the signaling
session is established.
An IME call between SCCP IP phones use the IME SIP trunk in both directions. Namely, the
signaling from the calling to called party uses the IME SIP trunk. Then, the called party uses the
reverse IME SIP trunk for the return signaling and media exchange. However, this connection is
already cleared on the adaptive security appliance, which causes the IME call to fail.
The next IME call (the third call after the clear connection all command is issued), will be
completely successful.
Note
The adaptive security appliance must be licensed and configured with enough TLS proxy sessions
•
to handle the IME call volume. See
about the licensing requirements for TLS proxy sessions.
This limitation occurs because an IME call cannot fall back to the PSTN when there are not enough
TLS proxy sessions left to complete the IME call. An IME call between two SCCP IP phones
requires the adaptive security appliance to use two TLS proxy sessions to successfully complete the
TLS handshake.
Assume for example, the adaptive security appliance is configured to have a maximum of 100 TLS
proxy sessions and IME calls between SCCP IP phones establish 101 TLS proxy sessions. In this
example, the next IME call is initiated successfully by the originating SCCP IP phone but fails after
Cisco ASA 5500 Series Configuration Guide using ASDM
47-10
This limitation does not apply when the originating and terminating IP phones are
configured with SIP.
Chapter 47 Configuring Cisco Intercompany Media Engine Proxy
Licensing for Cisco Intercompany Media Engine for information
OL-20339-01