We upgraded our PA5020 from 5.07 to 6.0.1 to utilize TLS 1.2 to handle decryption but as a result we have created an issue with our phones. We have a couple call managers behind the PA5020's at our data center and several branch offices around the world that rely on them. The branch MGCP gateway uses UDP 2427 to send notification messages and TCP 2428 to handle call setup etc....When we place an outbound call from a branch, the phone (Cisco 8961) works fine for approx 23 seconds and then goes into preservation mode, which keeps the call connected in a "fail over" state however phone features like hold, transfer etc no longer work. When we do a packet capture we can see the UDP 2427 MGCP packets being dropped and then subsequent retries and then at which time the call manager assumes it has lost connectivity to the MGCP gateway and the phone goes into preservation mode. Here are some things we have done thus far: -created a rule to allow everything from anywhere going to anywhere to ensure there was no policy causing an issue -since these are SIP phones we disabled SIP ALG, but it's not the SIP portion that has an issue, so no change -created an application override for MGCP with UDP and TCP ports 0-65535 for good measure and still the packets are dropped We do have a call in with TAC, but since this is affecting every branch, it's getting a little warm under the collar. We may have no choice but to revert back to 5.x but thought I would throw it out there to the community in case someone has some other ideas we can try.
... View more