I have a strange issue where I have a configured rule to allow the "rtp" and "rtcp" App-IDs with application-default service from any-to-any. Below that rule I have a generic permit-any rule with application service any. Screenshots below. The behavior I am running into is that positively identified rtp and rtcp sessions are not matching my higher rule, and instead are flowing down to the permit-any-any rule, however when I check the security logs, they are showing the app being correctly identified as rtp or rtcp.
There doesn't appear to be anything in common between the traffic that does or does not match, such as a port number. The APP-ID for RTP lists the port range as dynamic so I am assuming this isn't an issue related to the port range.
I also looked into weather or not the issue is related to pinhole traffic from the SIP session which sets up the RTP predict session, but according to the documentation there is still a requirement to have an APP-ID rule matching the RTP/RTCP traffic. We do have SIP AGL enabled (default setting) but I would think since my rule is so permissive (any/any source/dest) the SIP AGL functionality is irrelevant.
Edit: We are running 10.1.5-h1 and I have checked known issues, but didn't find anything that sounded relevant.
Any help is appreciated!
