ASA 5505 Allworx VOIP No Audio

Answered Question
Aug 2nd, 2010
User Badges:

I am running into the following issue. I have a currently workin ASA5505, clients can get VPN and do what they need to do. We recently added an Allworx VoIP system that uses SIP.

The ports that are required are:

SIP TCP 5050

SIP UDP 5060

BLF UDP 2088

RTP UDP 15000-15511

Mgmt TCP 8080


We are having our clients get VPN into the network before they can use the softphone application (Xlite) on the network. When our clients get VPN, they can place a call, but are unable to hear audio in either direction.



I am attaching our configuration from the ASA.


Thanks

Correct Answer by Nagaraja Thanthry about 6 years 12 months ago

Hello,


Seems like you have configured your VoIP server to be NAT aware i.e. the server knows the public IP address it will be using when going to internet. So, it modifies the message headers accordingly when trying to reach subnets out of its own IP.You can see it from the capture:




Can you turn-off the NAT aware feature (typically it will be a field where you need to specify the public IP on the server) and see if that helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rahul Govindan Mon, 08/02/2010 - 05:34
User Badges:
  • Silver, 250 points or more

Is the voice call between two softphones installed on clients connecting via vpn or between softphone and any external number?

dagraham Mon, 08/02/2010 - 05:40
User Badges:

The calls are from the Softphone to internal extensions and to external phone numbers. The internal extensions will ring, but neither party can hear exch other.

Rahul Govindan Mon, 08/02/2010 - 05:54
User Badges:
  • Silver, 250 points or more

hmmm..so if i am not wrong in the voice concept, its basically the rtp stream thats failing . Since the call is setting up right, you are able to reach the call manager and register fine. for audio, it is direct traffic(rtp stream) between the phones. So you would have to check if that connectivity is there for that to flow without disruption. The vpn clients are doing a full tunnel so all traffic is tunneled back to the ASA. Now the ASA has to know how to send that rtp traffic directly to the other phone. I am not sure exactly how the voice protocols work but I guess this is a start.

Nagaraja Thanthry Mon, 08/02/2010 - 07:29
User Badges:
  • Cisco Employee,

Hello,


Are you able to make and receive calls from your internal LAN hosts? If that is working, then the firewall is doing the inspections properly. We need to see if the traffic is actually traversing through the VPN tunnel. Can you configure a capture on the firewall to see if we are getting any traffic to/from the VPN clients?


access-list capture permit ip 192.168.30.0 255.255.255.0 host 192.168.1.200

access-list capture permit ip host 192.168.1.200 192.168.30.0 255.255.255.0


capture capin access-list capture interface inside


capture capvpn type webvpn user


This will help us understand if the traffic is actually traversing through the VPN tunnel and help us narrowdown the root cause.


Hope this helps.


Regards,


NT

dagraham Mon, 08/02/2010 - 07:45
User Badges:

I am uploading a capture from the VPN Network 192.168.30.240/29 to the PBX host 192.168.1.200. It appears all that is being captured is the SIP protocol.

Attachment: 
Rahul Govindan Mon, 08/02/2010 - 07:57
User Badges:
  • Silver, 250 points or more

Another suggestion would be to run capture on the client itself when you try to make a call to see where its failing.

dagraham Mon, 08/02/2010 - 08:11
User Badges:

I am attaching a capture of the client side. I made a test call and all I am seeing are the SIP signalling messages. No RTP.

Correct Answer
Nagaraja Thanthry Mon, 08/02/2010 - 08:33
User Badges:
  • Cisco Employee,

Hello,


Seems like you have configured your VoIP server to be NAT aware i.e. the server knows the public IP address it will be using when going to internet. So, it modifies the message headers accordingly when trying to reach subnets out of its own IP.You can see it from the capture:




Can you turn-off the NAT aware feature (typically it will be a field where you need to specify the public IP on the server) and see if that helps.


Regards,


NT

dagraham Mon, 08/02/2010 - 09:48
User Badges:

Naqaraja,


Thanks for the direction. I was thinking that the ASA was making that change to the SIP. I have contacted our vendor and he removed the public ip address from the Allworxs server. It is working now.

Actions

This Discussion