05-28-2016 10:58 PM
Hi,
We are facing intermittent issue while establishing external call from IP phone of one branch site to HO office in site-to-site VPN scenario on ASA firewalls. It is observed mostly during start of day operation and in few 3 to 4 instances during the day operation otherwise it is functioning properly throughout the day. We have one more branch site and having same site-to-site VPN instance running with same configuration setting but IP phones are properly connecting to HO office without any issue. The voice gateway and Call manager server are hosted into HO.
The issue is only related to calling to external numbers not for local HO IP phones and its ringing when dialing external call but voice is not coming to end users. As far as site-to-site VPN, IPSec tunnels are properly established and all verification for ISAKMP & IPsec phases are working fine and packets encap and dcap properly through tunnels. Same time all data traffic is working fine across sites.
is there any concern on IPSec VPN to troubleshoot for IP phone issue?
Thanks ,
Subodh
05-29-2016 12:45 AM
Hi Subodh,
It could mostly be an inspection issue.
Could you share the output of show run policy-map on both the
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-29-2016 11:22 PM
Hi Aditya,
Thanks for reply !!
Please find below output for inspection policy for HO office, IP phone - working branch and IP phone - not working branch,
Inspection Policy :
HO office:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
IP phone - Not working Branch site:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect sip
!
IP phone - working Branch site:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
I have observed only SIP protocol inspection configured at branch (where IP phone is not working) and other two sites are not configured for SIP inspection. But as I confirmed from voice engineer that they are not using SIP phones.
Thanks & Regards,
Subodh Sawant
05-30-2016 12:48 AM
Hi Subodh,
Please share the
I need to understand the protocol on which it is working.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-30-2016 02:59 AM
Hi Aditya,
Right now, I don't have now access to ASA to capture syslog but we have done some wireshark captures on IP phones (from not working - branch site) is showing connecting on RTP protocol for more details please find attached wireshark packet capture taken from IP phones.
In this output,
IP Phone - 10.3.200.19 (at not working - Branch site)
Voice Gateway - 10.1.1.170 (at HO office)
Thanks & Regards,
Subodh Sawant
05-30-2016 04:02 AM
Hi,
I may need
Let me know when you get it.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-30-2016 04:15 AM
Hi Aditya,
I will try to get from customer but meanwhile any findings or observations in attached RTP stream packet capture. From that its confirmed that RTP protocol is used for communication.
With this thread I just wanted to check concern from IPSec VPN part for traversing IP phone traffic as its working fine for sometime and few occasions only causing problem.
I will update you on syslog part and thanks for your support.
Thanks & Regards,
Subodh Sawant
06-03-2016 10:40 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide