Weird Problem in IPSEC VPN

Unanswered Question
Apr 7th, 2010
User Badges:

We are trying to run cisco ip phone via site to site ipsec vpn tunnel.The problem is the phones work fine for the first 40-50 secs and then suddenly the speech path is one-way,one party can hear but the other cannot. the code train for the ASA is 8.0(4).Isthere any bug or something or am I missing something here.I amattaching the show tech of ourend of the ASA.the other wedodnt manage. Please help SIRS.................

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 04/07/2010 - 09:39
User Badges:
  • Green, 3000 points or more

Hi,


Both ends of the tunnel are ASAs?

Normally one-way audio problems could be related to routing issues.


Are the IP Phones behind the ASA and the Call Manager (or call agent) on the other side of the tunnel?


Federico.

sathyanarayana.b Wed, 04/07/2010 - 23:31
User Badges:

The soft phones are Cisco soft phones and the call manager is on the client side. that is the soft phone first communicates via a ipsec tunnel to the call manager on the client end and downloads info from there. the same issue happens if we call from soft phone to soft phone.the soft phones are on our side and the call manager is on the other side of the tunnel ,all the voice communication happens through a ipsec tunnel. Another thing is that there is a redundant connection via dial up through fortigate firewall. the soft phones are then working fine. the voice call establishes for 40-50 secs and we can talk clearly and hear also so no probs but after 40-50 secs the recieving party is not able to hear anything. Yes you are right the ip phosed are behind the ASA and the call manager is on the other side.

Federico Coto F... Thu, 04/08/2010 - 06:58
User Badges:
  • Green, 3000 points or more

The ASA should allow the RTP streams between the phones through the tunnel.

The tunnel does not get interrupted or data traffic suffers problems? It's only this issue with the voice traffic when this happens?


The one-way audio is always on the same direction?


Federico.

sathyanarayana.b Thu, 04/08/2010 - 09:09
User Badges:

I have posted the show tech in that do u see any

ports that is not opened which should be opened up.

Yes we are not able to hear but the remote side is able to always, and this happens after 40-50 secs sometimes 4-5 mins.

I did some debugging today posting it in a short while...i have posted the network diagram.....fortigate firewall uses RA VPN to connect and the ASA uses site to site vpn to connect. I am also uploading the connection state in the firewall before and after the voice gets one way.Uploading real time logs from the firewall at the time we tested.

Please suggest.

Federico Coto F... Thu, 04/08/2010 - 12:32
User Badges:
  • Green, 3000 points or more

The problem could be related to the fact that you're using PAT.

Is the call agent behind the ASA (which you attached the sh tech?)


In the diagram that you attached, I see the IP communicators on both sides of the ASA, but where is the call agent?


Federico.

sathyanarayana.b Thu, 04/08/2010 - 22:30
User Badges:

The call manager is on the remote side. We are not using PAT we are using nonat  for  our IPSEC communication. the communicators use the VPN tunnel to communicate with the call manager on the other side.

Actions

This Discussion