Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1633
Views
0
Helpful
7
Replies

Weird Problem in IPSEC VPN

sathyanarayana.b
Level 1
Level 1

‎04-07-2010 09:18 AM - edited ‎02-21-2020 04:35 PM

We are trying to run cisco ip phone via site to site ipsec vpn tunnel.The problem is the phones work fine for the first 40-50 secs and then suddenly the speech path is one-way,one party can hear but the other cannot. the code train for the ASA is 8.0(4).Isthere any bug or something or am I missing something here.I amattaching the show tech of ourend of the ASA.the other wedodnt manage. Please help SIRS.................

Labels:
63093-shtech.TXT.zip
0 Helpful
7 Replies 7

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-07-2010 09:39 AM

Hi,

Both ends of the tunnel are ASAs?

Normally one-way audio problems could be related to routing issues.

Are the IP Phones behind the ASA and the Call Manager (or call agent) on the other side of the tunnel?

Federico.

0 Helpful

sathyanarayana.b
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-07-2010 11:31 PM

The soft phones are Cisco soft phones and the call manager is on the client side. that is the soft phone first communicates via a ipsec tunnel to the call manager on the client end and downloads info from there. the same issue happens if we call from soft phone to soft phone.the soft phones are on our side and the call manager is on the other side of the tunnel ,all the voice communication happens through a ipsec tunnel. Another thing is that there is a redundant connection via dial up through fortigate firewall. the soft phones are then working fine. the voice call establishes for 40-50 secs and we can talk clearly and hear also so no probs but after 40-50 secs the recieving party is not able to hear anything. Yes you are right the ip phosed are behind the ASA and the call manager is on the other side.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to sathyanarayana.b

‎04-08-2010 06:58 AM

The ASA should allow the RTP streams between the phones through the tunnel.

The tunnel does not get interrupted or data traffic suffers problems? It's only this issue with the voice traffic when this happens?

The one-way audio is always on the same direction?

Federico.

0 Helpful

sathyanarayana.b
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-08-2010 09:09 AM

I have posted the show tech in that do u see any

ports that is not opened which should be opened up.

Yes we are not able to hear but the remote side is able to always, and this happens after 40-50 secs sometimes 4-5 mins.

I did some debugging today posting it in a short while...i have posted the network diagram.....fortigate firewall uses RA VPN to connect and the ASA uses site to site vpn to connect. I am also uploading the connection state in the firewall before and after the voice gets one way.Uploading real time logs from the firewall at the time we tested.

Please suggest.

63154-Connection-state.txt.zip
0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to sathyanarayana.b

‎04-08-2010 12:32 PM

The problem could be related to the fact that you're using PAT.

Is the call agent behind the ASA (which you attached the sh tech?)

In the diagram that you attached, I see the IP communicators on both sides of the ASA, but where is the call agent?

Federico.

0 Helpful

sathyanarayana.b
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-08-2010 10:30 PM

The call manager is on the remote side. We are not using PAT we are using nonat  for  our IPSEC communication. the communicators use the VPN tunnel to communicate with the call manager on the other side.

0 Helpful

ajlalhaider
Level 1
Level 1

‎04-18-2010 01:48 AM

Hi,

Please try the following steps:

http://www.ciscosystems.com/en/US/products/sw/voicesw/ps1860/products_tech_note09186a0080094ed1.shtml

I know this is for a cisco IP softphone, but your problem is addressed in this solution and I hope you can work your way with the physical phone once you read this.

Best of Luck!

AJ

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents