Rtp packets not passing firewall, ports open

I have been trying to figure this out for several weeks and I am certain it is the firewall/router.

I have a Cisco 2800 router with correct ports opened.

I did a sip trace on the server side and the client side. The rtp packets went out as expected but the server side never recieved them. This only happens when a call is started on the outside of the firewall. If i call out from inside the firewall to outside there seems to be no problems.

Below is a sip trace of a sip client outside the firewall starting the call.

[code]No. Time Source Destination Protocol Length Info
280 13.489738000 192.168.77.94 190.86.xxx.xxx SIP/SDP 947 Request: INVITE sip:7005@190.86.xxx.xxx |

Frame 280: 947 bytes on wire (7576 bits), 947 bytes captured (7576 bits) on interface 0
Ethernet II, Src: IntelCor_33:71:4c (c4:85:08:33:71:4c), Dst: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85)
Internet Protocol Version 4, Src: 192.168.77.94 (192.168.77.94), Dst: 190.86.xxx.xxx (190.86.xxx.xxx)
User Datagram Protocol, Src Port: 5206 (5206), Dst Port: sip (5060)
Session Initiation Protocol (INVITE)
Request-Line: INVITE sip:7005@190.86.xxx.xxx SIP/2.0
Message Header
Via: SIP/2.0/UDP 192.168.77.94:5206;branch=z9hG4bK-d8754z-c5e9af5e0688353f-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:pbrinkrm2@172.17.3.145:62778
To: sip:7005@190.86.xxx.xxx
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: Bria 3 release 3.5.3 stamp 70599
Content-Length: 351
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): - 13018211538903242 1 IN IP4 192.168.77.94
Session Name (s): Bria 3 release 3.5.3 stamp 70599
Connection Information ©: IN IP4 192.168.77.94
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 49722 RTP/AVP 125 107 9 0 8 18 101
Media Attribute (a): rtpmap:125 opus/48000/2
Media Attribute (a): fmtp:125 useinbandfec=1
Media Attribute (a): rtpmap:107 BV32/16000
Media Attribute (a): rtpmap:18 G729/8000
Media Attribute (a): fmtp:18 annexb=yes
Media Attribute (a): rtpmap:101 telephone-event/8000
Media Attribute (a): fmtp:101 0-15
Media Attribute (a): sendrecv

No. Time Source Destination Protocol Length Info
282 13.660363000 190.86.xxx.xxx 192.168.77.94 SIP 532 Status: 100 Trying |

Frame 282: 532 bytes on wire (4256 bits), 532 bytes captured (4256 bits) on interface 0
Ethernet II, Src: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85), Dst: IntelCor_33:71:4c (c4:85:08:33:71:4c)
Internet Protocol Version 4, Src: 190.86.xxx.xxx (190.86.xxx.xxx), Dst: 192.168.77.94 (192.168.77.94)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5206 (5206)
Session Initiation Protocol (100)
Status-Line: SIP/2.0 100 Trying
Message Header
Via: SIP/2.0/UDP 190.86.177.118:5206;branch=z9hG4bK-d8754z-c5e9af5e0688353f-1—d8754z-;received=172.17.3.145;rport=62778
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
To: sip:7005@190.86.xxx.xxx
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 1 INVITE
Server: Asterisk PBX 11.4.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces
Contact: sip:7005@190.86.xxx.xxx:5060
Content-Length: 0

No. Time Source Destination Protocol Length Info
327 16.074189000 190.86.xxx.xxx 192.168.77.94 SIP 548 Status: 180 Ringing |

Frame 327: 548 bytes on wire (4384 bits), 548 bytes captured (4384 bits) on interface 0
Ethernet II, Src: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85), Dst: IntelCor_33:71:4c (c4:85:08:33:71:4c)
Internet Protocol Version 4, Src: 190.86.xxx.xxx (190.86.xxx.xxx), Dst: 192.168.77.94 (192.168.77.94)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5206 (5206)
Session Initiation Protocol (180)
Status-Line: SIP/2.0 180 Ringing
Message Header
Via: SIP/2.0/UDP 190.86.177.118:5206;branch=z9hG4bK-d8754z-c5e9af5e0688353f-1—d8754z-;received=172.17.3.145;rport=62778
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
To: sip:7005@190.86.xxx.xxx;tag=as118c69e4
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 1 INVITE
Server: Asterisk PBX 11.4.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces
Contact: sip:7005@190.86.xxx.xxx:5060
Content-Length: 0

No. Time Source Destination Protocol Length Info
480 24.205119000 190.86.xxx.xxx 192.168.77.94 SIP/SDP 913 Status: 200 OK |

Frame 480: 913 bytes on wire (7304 bits), 913 bytes captured (7304 bits) on interface 0
Ethernet II, Src: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85), Dst: IntelCor_33:71:4c (c4:85:08:33:71:4c)
Internet Protocol Version 4, Src: 190.86.xxx.xxx (190.86.xxx.xxx), Dst: 192.168.77.94 (192.168.77.94)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5206 (5206)
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Message Header
Via: SIP/2.0/UDP 190.86.177.118:5206;branch=z9hG4bK-d8754z-c5e9af5e0688353f-1—d8754z-;received=172.17.3.145;rport=62778
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
To: sip:7005@190.86.xxx.xxx;tag=as118c69e4
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 1 INVITE
Server: Asterisk PBX 11.4.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces
Contact: sip:7005@190.86.xxx.xxx:5060
Content-Type: application/sdp
Content-Length: 337
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): root 1172741063 1172741063 IN IP4 190.86.xxx.xxx
Session Name (s): Asterisk PBX 11.4.0
Connection Information ©: IN IP4 190.86.xxx.xxx
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 12886 RTP/AVP 18 0 8 101
Media Attribute (a): rtpmap:18 G729/8000
Media Attribute (a): fmtp:18 annexb=no
Media Attribute (a): rtpmap:0 PCMU/8000
Media Attribute (a): rtpmap:8 PCMA/8000
Media Attribute (a): rtpmap:101 telephone-event/8000
Media Attribute (a): fmtp:101 0-16
Media Attribute (a): silenceSupp:off - - - -
Media Attribute (a): ptime:20
Media Attribute (a): sendrecv

No. Time Source Destination Protocol Length Info
481 24.252939000 192.168.77.94 190.86.xxx.xxx SIP 473 Request: ACK sip:7005@190.86.xxx.xxx:5060 |

Frame 481: 473 bytes on wire (3784 bits), 473 bytes captured (3784 bits) on interface 0
Ethernet II, Src: IntelCor_33:71:4c (c4:85:08:33:71:4c), Dst: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85)
Internet Protocol Version 4, Src: 192.168.77.94 (192.168.77.94), Dst: 190.86.xxx.xxx (190.86.xxx.xxx)
User Datagram Protocol, Src Port: 5206 (5206), Dst Port: sip (5060)
Session Initiation Protocol (ACK)
Request-Line: ACK sip:7005@190.86.xxx.xxx:5060 SIP/2.0
Message Header
Via: SIP/2.0/UDP 192.168.77.94:5206;branch=z9hG4bK-d8754z-5736bb6bf11d6d51-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:pbrinkrm2@172.17.3.145:62778
To: sip:7005@190.86.xxx.xxx;tag=as118c69e4
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 1 ACK
User-Agent: Bria 3 release 3.5.3 stamp 70599
Content-Length: 0

No. Time Source Destination Protocol Length Info
482 24.266238000 192.168.77.94 190.86.xxx.xxx RTP 74 PT=ITU-T G.729, SSRC=0xBD8775F, Seq=0, Time=3292247465, Mark

Frame 482: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Ethernet II, Src: IntelCor_33:71:4c (c4:85:08:33:71:4c), Dst: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85)
Internet Protocol Version 4, Src: 192.168.77.94 (192.168.77.94), Dst: 190.86.xxx.xxx (190.86.xxx.xxx)
User Datagram Protocol, Src Port: 49722 (49722), Dst Port: 12886 (12886)
Real-Time Transport Protocol
[Stream setup by SDP (frame 480)]
10… … = Version: RFC 1889 Version (2)
…0. … = Padding: False
…0 … = Extension: False
… 0000 = Contributing source identifiers count: 0
1… … = Marker: True
Payload type: ITU-T G.729 (18)
Sequence number: 0
[Extended sequence number: 65536]
Timestamp: 3292247465
Synchronization Source identifier: 0x0bd8775f (198735711)
Payload: fcba820000fac896a48631cc4c23a6321e1a11de

No. Time Source Destination Protocol Length Info
485 24.286854000 192.168.77.94 190.86.xxx.xxx RTP 74 PT=ITU-T G.729, SSRC=0xBD8775F, Seq=1, Time=3292247625

Frame 485: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Ethernet II, Src: IntelCor_33:71:4c (c4:85:08:33:71:4c), Dst: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85)
Internet Protocol Version 4, Src: 192.168.77.94 (192.168.77.94), Dst: 190.86.xxx.xxx (190.86.xxx.xxx)
User Datagram Protocol, Src Port: 49722 (49722), Dst Port: 12886 (12886)
Real-Time Transport Protocol
[Stream setup by SDP (frame 480)]
10… … = Version: RFC 1889 Version (2)
…0. … = Padding: False
…0 … = Extension: False
… 0000 = Contributing source identifiers count: 0
0… … = Marker: False
Payload type: ITU-T G.729 (18)
Sequence number: 1
[Extended sequence number: 65537]
Timestamp: 3292247625
Synchronization Source identifier: 0x0bd8775f (198735711)
Payload: 789a80ac50fac20007d6f87240a000fac20007d6

No. Time Source Destination Protocol Length Info
1428 37.325753000 192.168.77.94 190.86.xxx.xxx SIP 473 Request: BYE sip:7005@190.86.xxx.xxx:5060 |

Frame 1428: 473 bytes on wire (3784 bits), 473 bytes captured (3784 bits) on interface 0
Ethernet II, Src: IntelCor_33:71:4c (c4:85:08:33:71:4c), Dst: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85)
Internet Protocol Version 4, Src: 192.168.77.94 (192.168.77.94), Dst: 190.86.xxx.xxx (190.86.xxx.xxx)
User Datagram Protocol, Src Port: 5206 (5206), Dst Port: sip (5060)
Session Initiation Protocol (BYE)
Request-Line: BYE sip:7005@190.86.xxx.xxx:5060 SIP/2.0
Message Header
Via: SIP/2.0/UDP 192.168.77.94:5206;branch=z9hG4bK-d8754z-18e71905167b9d4b-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:pbrinkrm2@172.17.3.145:62778
To: sip:7005@190.86.xxx.xxx;tag=as118c69e4
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 2 BYE
User-Agent: Bria 3 release 3.5.3 stamp 70599
Content-Length: 0

No. Time Source Destination Protocol Length Info
1431 37.494792000 190.86.xxx.xxx 192.168.77.94 SIP 498 Status: 200 OK |

Frame 1431: 498 bytes on wire (3984 bits), 498 bytes captured (3984 bits) on interface 0
Ethernet II, Src: IntelCor_0b:6a:85 (68:05:ca:0b:6a:85), Dst: IntelCor_33:71:4c (c4:85:08:33:71:4c)
Internet Protocol Version 4, Src: 190.86.xxx.xxx (190.86.xxx.xxx), Dst: 192.168.77.94 (192.168.77.94)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5206 (5206)
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Message Header
Via: SIP/2.0/UDP 192.168.77.94:5206;branch=z9hG4bK-d8754z-18e71905167b9d4b-1—d8754z-;received=172.17.3.145;rport=62778
From: sip:pbrinkrm2@190.86.xxx.xxx;tag=8b1c3c36
To: sip:7005@190.86.xxx.xxx;tag=as118c69e4
Call-ID: NDcwYzY0ZGY0OTczZmVmMmI3ODYxMmZlZjc5ZTdkM2E
CSeq: 2 BYE
Server: Asterisk PBX 11.4.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces
Content-Length: 0
[/code]

I compared the good and bad packets and found a checksum error on the RTP packets that dont make it throught. I think this might be a cause of the problem. This only happens on calls starting outside the network.

Problem is under Internet protoc0l --> Header checksum

Frame 367: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Jul 12, 2013 18:17:09.531568000 Central America Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1373674629.531568000 seconds [Time delta from previous captured frame: 0.019850000 seconds] [Time delta from previous displayed frame: 0.019850000 seconds] [Time since reference or first frame: 35.709907000 seconds] Frame Number: 367 Frame Length: 74 bytes (592 bits) Capture Length: 74 bytes (592 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:udp:rtp] [Number of per-protocol-data: 1] [Real-Time Transport Protocol, key 0] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1] Ethernet II, Src: Sony_ed:dd:f7 (30:f9:ed:ed:dd:f7), Dst: Cisco_15:ae:21 (00:23:33:15:ae:21) Destination: Cisco_15:ae:21 (00:23:33:15:ae:21) Address: Cisco_15:ae:21 (00:23:33:15:ae:21) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Sony_ed:dd:f7 (30:f9:ed:ed:dd:f7) Address: Sony_ed:dd:f7 (30:f9:ed:ed:dd:f7) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 172.17.16.1 (172.17.16.1), Dst: 190.86.xxx.xxx (190.86.xxx.xxx) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 60 Identification: 0x5acd (23245) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (17) Header checksum: 0x0000 [incorrect, should be 0x7406 (may be caused by "IP checksum offload"?)] [Good: False] [Bad: True] [Expert Info (Error/Checksum): Bad checksum] [Message: Bad checksum] [Severity level: Error] [Group: Checksum] Source: 172.17.16.1 (172.17.16.1) Destination: 190.86.xxx.xxx (190.86.xxx.xxx) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 61448 (61448), Dst Port: 18668 (18668) Source port: 61448 (61448) Destination port: 18668 (18668) Length: 40 Checksum: 0x2c17 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Real-Time Transport Protocol [Stream setup by SDP (frame 363)] [Setup frame: 363] [Setup Method: SDP] 10.. .... = Version: RFC 1889 Version (2) ..0. .... = Padding: False ...0 .... = Extension: False .... 0000 = Contributing source identifiers count: 0 0... .... = Marker: False Payload type: ITU-T G.729 (18) Sequence number: 2 [Extended sequence number: 65538] Timestamp: 2785685929 Synchronization Source identifier: 0x2627735d (640119645) Payload: f3f1c5244e9ac20007d6d5bf48c87ea58f774bad

Does anyone know why this is happening.

The checksum error is most likely due to the capture beng made before the checksum is added, and therefore not a real error.