Skinny CCIE IP Nat Problem [not]resolved

As mentioned in my profile I am studying for my CCIE Voice Lab exam. Well I have been plagued by a problem with phones not registering when using Rented Lab Kit and physical IP phones in my home POD.

My POD is connected to the Rented Lab Equipment over an encrypted link that is also NAT’d.


One of the guys from Cisco who was also studying for the exam recommended sticking to IOS 12.4 mainline. As the issue shouldn’t exist within these IOS train. Unfortuately I use a Cisco 1801 router for my connection to the Internet and there is no IOS 12.4 mainline available for it. After some experimentation I discovered that with some of the special releases solved this problem but also created others. Which basically meant keeping 4 different versions of IOS on the routers flash and switching between them depending on what I am doing.

I have just run Wireshark on a PC attached to the back of one of the phones that wasn’t registering and pulled a capture. What appears to be happening is that :

1. The phone issues a SKINNY SoftKeyTemplateReqMessage.
2. There then follows three TCP Retransmissions of SoftKeyTemptateReqMessage
3. A Skinny KeepAliveMessage
4. Two more TCP Retransmissions of SoftKeyTemplateReqMessage
5. The connection is reset.

It’s like these TCP packets are not getting through to the server which is very reminisent of an MTU/Fragmentation problem.

I’ve done some more digging in the Cisco advisories and stumbled across the following :

This advisory indicates that in IOS Version 12.4(6)T NAT SKINNY fragmentation support was introduced. It advises that there is a vunerability in relation to memory allocation. Which can manifest as a DoS expoitation.

Wondering whether the issue advised was related to the issue I have. Considering I also have introduced Crypto into the mix.  The workaround is to disable Skinny NAT ALG support on port 2000.

Router(config)# no ip nat service skinny tcp port 2000

I’ve got some additional digging to do but on the face. Once this is done smart inspection of the SKINNY packet isn’t performed by the router so it’ neccessary to also open UDP ports for the voice calls to proceed.

So you can have the phones registering correctly – but no audio path.

I have subsequently gone back to IOS version 12.4-15.XY5.

Router#show hardw
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(15)XY5, RELEASE SOFTWARE (fc3)
Technical Support:
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 18-Dec-08 18:44 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

Router uptime is 10 hours, 45 minutes
System returned to ROM by reload at 04:02:37 BST Thu May 7 2009
System restarted at 04:03:25 BST Thu May 7 2009
System image file is "flash:c180x-advipservicesk9-mz.124-15.XY5.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

Cisco 1801 (MPC8500) processor (revision 0x400) with 105472K/25600K bytes of memory.
Processor board ID FCZ1048121H, with hardware revision 0000

9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
125952K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102

Updated 30/06/2009