Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
5
Replies

IP phone over VPN getting TCP Reset-I

bkootstra
Level 1
Level 1

‎11-29-2007 03:27 PM

I have our asa5520 (local network) talking lan2lan VPN to a asa5505 (remote network) for a "remote office". I have a cisco IP phone communicating to the Call Manager over the VPN connection. The problem I have is that the phone will reset and come back or just reset and spin its wheels trying to come back. Checking the syslogs on each ASA device and the Remote device shows a TCP Reset-O, while the local network ASA is showing the TCP Reset-I message. What should I look for to keep the reset from happening and killing my IP phone connection?

Labels:
0 Helpful
5 Replies 5

hadbou
Level 5
Level 5

‎12-06-2007 02:30 PM

When the PIX Firewall terminates any TCP connection, it generates a log message (which can be collected using a syslog server) that provides a reason for the termination. For example, if a TCP connection has been established between two hosts across the PIX, a TCP RESET-I in the log message means that the server from the inside is sending a reset to the PIX (which instructs the PIX to drop the connection). The PIX then drops the connection and logs a RESET-I

0 Helpful

james.irwin
Level 4
Level 4

‎12-07-2007 08:08 AM

this might sound odd, but does the remote office have a static ip or dhcp from the provider?

if dhcp, people will commonly config the default route to the wan interface:

ip ro 0.0.0.0 0.0.0.0 int fa4

if that is the case, instead, try this:

ip ro 0.0.0.0 0.0.0.0 dhcp

this action installs a default route into the table. the ip phone and data flow will stabilize.

0 Helpful

timkaye
Level 1
Level 1

‎12-10-2007 11:03 PM

Inspection of skinny?

0 Helpful

r.stockton
Level 1
Level 1
In response to timkaye

‎01-04-2008 09:29 AM

Am seeing a similar issue in a live environment. ASA at HQ Site, 2811 at Remote Site. VPN Tunnel does not drop but phone reboot.

We've seen some SLIP and Clocking errors so we are going down that route w/the provider, however, I'm not seeing phones goto SRST.

I'm debugging:

ephone error

ephone keepalive

ephone registration.

I'm wondering if onsite for packet traces in in order. Look for traffic on port 2000

0 Helpful

tbentley
Level 1
Level 1

‎03-27-2009 07:59 AM

i had the same problem with my asa and a remote access vpn try turning off skinny traffic inspection for that network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents