Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
7
Replies

Cisco IP phone call connection problem in Site-to-Site VPN

subodh1537
Level 1
Level 1

‎05-28-2016 10:58 PM

Hi,

We are facing intermittent issue while establishing external call from IP phone of one branch site to HO office in site-to-site VPN scenario on ASA firewalls. It is observed mostly during start of day operation and in few 3 to 4 instances  during the day operation otherwise it is functioning properly  throughout the day. We have one more branch site and having same site-to-site VPN instance running with same configuration setting but IP phones are properly connecting to HO office without any issue. The voice gateway and Call manager server are hosted into HO.

The issue is only related to calling to external numbers not for local HO IP phones and its ringing when dialing external call but voice is not coming to end users. As far as site-to-site VPN, IPSec tunnels are properly established and all verification for ISAKMP & IPsec phases are working fine and packets encap and dcap properly through tunnels. Same time all data traffic is working fine across sites.

is there any concern on IPSec VPN to troubleshoot for IP phone issue?

Thanks ,

Subodh

Labels:
0 Helpful
7 Replies 7

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-29-2016 12:45 AM

Hi Subodh,

It could mostly be an inspection issue.

Could you share the output of show run policy-map on both the devcies ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

subodh1537
Level 1
Level 1
In response to Aditya Ganjoo

‎05-29-2016 11:22 PM

Hi Aditya,

Thanks for reply !!

Please find below output for inspection policy for HO office, IP phone - working branch and IP phone - not working branch,

Inspection Policy :

HO office:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect pptp


IP phone - Not working Branch site:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect sip  
!

IP phone - working Branch site:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp 

I have observed only SIP protocol inspection configured at branch (where IP phone is not working) and other two sites are not configured for SIP inspection. But as I confirmed from voice engineer that they are not using SIP phones.

Thanks & Regards,

Subodh Sawant

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to subodh1537

‎05-30-2016 12:48 AM

Hi Subodh,

Please share the syslogs on the ASA for the concerned traffic.

I need to understand the protocol on which it is working.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

subodh1537
Level 1
Level 1
In response to Aditya Ganjoo

‎05-30-2016 02:59 AM

Hi Aditya,

Right now, I don't have now access to ASA to capture syslog but we have done some wireshark captures on IP phones (from not working - branch site) is showing connecting on RTP protocol for more details please find attached wireshark packet capture taken from IP phones.

In this output,

IP Phone - 10.3.200.19 (at not working - Branch site)

Voice Gateway - 10.1.1.170 (at HO office)

Thanks & Regards,

Subodh Sawant

Preview file
22 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to subodh1537

‎05-30-2016 04:02 AM

Hi,

I may need syslogs.

Let me know when you get it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

subodh1537
Level 1
Level 1
In response to Aditya Ganjoo

‎05-30-2016 04:15 AM

Hi Aditya,

I will try to get from customer but meanwhile any findings or observations in attached RTP stream packet capture. From that its confirmed that RTP protocol is used for communication.

With this thread I just wanted to check concern from IPSec VPN part for traversing IP phone traffic as its working fine for sometime and few occasions only causing problem.

I will update you on syslog part and thanks for your support.

Thanks & Regards,

Subodh Sawant

0 Helpful

subodh1537
Level 1
Level 1
In response to subodh1537

‎06-03-2016 10:40 PM

Hi Aditya,

Please find attached syslog capture for IP phone communication, in which find below IP details ,

IP phone : 10.3.120.190

Voice Gateway: 10.1.1.170

Thanks & Regards,

Subodh Sawant

Preview file
36 KB
0 Helpful
Customers Also Viewed These Support Documents