Distributed CME over IPSEC

Unanswered Question


I'm working on a deployment to interconnect 2 offices each with its own CME/CUE.

I got each cluster working individually pretty well. I'm baffled by the problems encountered when I configured the IPSEC tunnel to carry the interoffice traffic.

Based on the attached diagram, Individual CME/CUE cluster works perfectly.

Standard IPSEC tunnel between CME router and ASA is formed. Interesting traffic is and respectively.

> Ping from LAN is successful to and hosts.

> Ping from LAN is successful to and hosts.

> Ping from CME(left side) to or UNSUCCESSFUL. It is successful with extended ping by specifying source address of

> extension 51xx ( phones) can be dialled by extension 55xx ( phones)

However no voice heard between phones when pick up, and cannot route to voicemail box.

> extension 55xx ( phones) cannot even be dialled by extension 51xx ( phones)

I wonder if it's because the CME (left side) is using the 66.X.X.X address as the source address and it is not considered interesting traffic... I'll have to do some debug / packet capture to check again...

Please share any insights on multi-site CME deployment over VPN, and idea on what I'm doing wrong...

Many thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Fri, 05/04/2007 - 04:31

No they don't move threads here :)

[EDIT yes they do :) ]

Anyway doesn't matter. Well as I am here telling you the above, going to your question, I think you have to diagnose first if you are really passing everything on the VPN. The pixes are the ones that must be looked into. there are multiple access lists that you have to set, to make a really any to any VPN. remember that with pix packets cannot re-enter vpn from inside, so it must be full mesh. Check if anything against UDP in ACL

So in end the thread could belong more to "security" :)


This Discussion