Cisco IP Communicator and Phone Proxy over ASA

Unanswered Question
Dec 12th, 2009
User Badges:

We're trying to get a Cisco Softphone (IP Communicator v7.03) to work across an ASA using the Phone Proxy.  The softphone usually registers correctly with the ASA Proxy and hence the callmanager, but when we go to make a call from the proxy phone to a phone on the inside it rings but we have no audio.  However, we can make calls from phone to phone on the proxy side of the ASA. A 7961 proxy phone has no problems making calls and talking across the ASA.


The Call Manager is running 7.1(2) and is in nonsecure mode.


Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tracy Larson Mon, 12/14/2009 - 07:16
User Badges:
  • Silver, 250 points or more

What are you using to register the IP Communicator on the PC? I ran into this same issue becuase i was registering using the network adapter option in the network settings of the communicator then was connecting via wireless which uses a different MAC address of course, so the phone would register fine but you wont hear any audio. The best way to register an IP communicator is to use the "use this device name" option instead of "use network adapter". Is it something that simple maybe?

kristyorr Thu, 02/25/2010 - 18:30
User Badges:

Did you get this resolved?  I am having this issue.  One way audio, IP communicator, ASA phone proxy.  It looks like the IP communicator is registering with an internal IP.  It's seems like a certificate issue....

MITCH JOHNSON Thu, 02/25/2010 - 19:40
User Badges:

The big part of our problem was in the softphone saying that it wasn't secured.  We changed the security mode of the CIPC under the phone proxy configuration on the ASA.  Then we reset the certificate under the CallManager config for the phone, making sure that the null0 certificate was chosen.  I think that was about it.

kristyorr Tue, 03/02/2010 - 17:22
User Badges:

MJohnson - Your feedback was helpful and led me down the right path.  Thanks much!

federico.morales Mon, 09/13/2010 - 13:52
User Badges:

to what did you set the security mode of the CIPC? Did you open any extra port in adition to the tftp port?

MITCH JOHNSON Mon, 09/13/2010 - 20:03
User Badges:

We used: cipc security-mode authenticated.


As far as ports being opened up, we had to open the ports necessary for the secured portion of the setup to include tftp.  We did it both ways, with secure skinny and secure SIP and of course the secure RTP.


Remember that all secure traffic terminates on the outside interface, the inside interface then proxies to the unsecure sip/skinny or RTP.


Hope this helps.

Nelsonmejia09 Wed, 10/13/2010 - 14:56
User Badges:

I Have the same issue. I can´t hear any audio when i try to call another phone when i connect my IPC through ASA phone proxy.

I configure the following to ASA firewall:


tls-proxy phone-proxy-tls
server trust-point _internal_PP_phone-proxy-ctl
client ldc issuer phoneproxy-ldc-signer
client ldc key-pair phoneproxy-ldc-clients
ctl-file phone-proxy-ctl
cluster-ctl-file disk0:/CTLFile.tlv
record-entry cucm-tftp trustpoint phoneproxy-main address

record-entry capf trustpoint CAPF address y.y.y.y (ip publica para UCM)


phone-proxy Client-phone-proxy
media-termination Client_ASA
tftp-server address x.x.x.x interface inside
tls-proxy phone-proxy-tls
cipc security-mode authenticated
cluster-mode mixed
ctl-file phone-proxy-ctl
no disable service-settings


ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 null-sha1


How can i configure to UCM to force the IPC with null0?.

i permit any udp port to public ip to UCM and the TCP ports for skinny and CAPF port.


some can send me some steps to probe why i can not hair any audio?

kristyorr Wed, 10/13/2010 - 15:03
User Badges:

After the IP Communicator registers, login to your Call Manager and see what IP address it is registering with.  My guess is that it's an internal IP from the home network, that is the result I have always had.  Unless the IP Communicator registers with an IP that is on the corporate network (reachable by CUCM and voice gateway), there is no way to route the packets correctly and thus no audio. I have tried several times to get it to PAT to IP of the ASA's inside interface, I have a PAT translation that works great for my 7945 proxy phones, but have never had luck making it work on the IPCs.  Officially IP Communicator is not supported over proxy.  It works great when you connect over the VPN first and then launch the application.

Nelsonmejia09 Wed, 10/13/2010 - 21:07
User Badges:

I have Some Questions

1. What Ports (TCP/UDP) do i need open?

2. What IP address do i use to open the ports the MTA global (Public IP for MTA) our the Global NAT ip address for tha UCM?.

Nelsonmejia09 Wed, 10/13/2010 - 21:23
User Badges:

I have configured my home router to forward the range of UDP ports to my IPC
like CISCO documentation (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1194487)
in "Configuring Your Router" but the issue is the same i can´t hearit any audio.


And I have another issue:
I have connected Cisco IP Phone 7945 (with LSC certificate instaled) in remote home
with a public IP and when i ahve tried register in the UCM through ASA Phone Proxy i have received
the following error in ASA´s debbug


PP: ASA is requesting file SEPMACADRESS.cnf.xml.sgn from Call Manager TFTP server.
PP: ASA sent request for SEPMACADDRESS.cnf.xml.sgn sourced from outside:200.110.x.y to inside:172.x.y.z, opened 0xb4e4b512
PP: (172.x.y.z/60748 -> 200.110.x.y/49156)
File not found
PP: Removing secure device outside:200.110.x.y/0, MACADDRESS, 0 left, Reason: Config File Not Found
PP: Config file SEPMACADDRESS.cnf.xml.sgn not found for client outside:200.x.y.122/49156 server inside:172.x.y.z/60748

kristyorr Thu, 10/14/2010 - 11:56
User Badges:

Did you import the CUCM certs into the ASA?  The ASA is asking for the config file for the phone.  Also....the certificate points to the CUCM by name, so make sure you have relevant DNS entries in the ASA so it can resolve the request for the CUCM server name.

kristyorr Thu, 10/14/2010 - 11:29
User Badges:

Ports to open:


UDP 1024-65535 (for RTP/audio streams)

UDP 69

TCP/UDP 2000

TCP 2443



Point the phone to the external IP of the CUCM, not the MTA.  The MTA IPs are used by the ASA.  You need to configure both an unused external IP address and an unused internal IP address (from subnet of inside interface, or whichever interface is CUCM facing in your environment) for your MTA.

Actions

This Discussion