Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Distributed CME over IPSEC

Hello,

I'm working on a deployment to interconnect 2 offices each with its own CME/CUE.

I got each cluster working individually pretty well. I'm baffled by the problems encountered when I configured the IPSEC tunnel to carry the interoffice traffic.

Based on the attached diagram, Individual CME/CUE cluster works perfectly.

Standard IPSEC tunnel between CME router and ASA is formed. Interesting traffic is 10.4.0.0 and 10.1.0.0 respectively.

> Ping from LAN 10.1.14.0 is successful to 10.4.14.0 and 10.4.12.0 hosts.

> Ping from LAN 10.4.14.0 is successful to 10.1.14.0 and 10.1.12.0 hosts.

> Ping from CME(left side) to 10.4.14.0 or 10.4.12.0 UNSUCCESSFUL. It is successful with extended ping by specifying source address of 10.1.14.1

> extension 51xx (10.1.12.0 phones) can be dialled by extension 55xx (10.4.12.0 phones)

However no voice heard between phones when pick up, and cannot route to voicemail box.

> extension 55xx (10.4.12.0 phones) cannot even be dialled by extension 51xx (10.1.12.0 phones)

I wonder if it's because the CME (left side) is using the 66.X.X.X address as the source address and it is not considered interesting traffic... I'll have to do some debug / packet capture to check again...

Please share any insights on multi-site CME deployment over VPN, and idea on what I'm doing wrong...

Many thanks in advance,

-Dave

3 REPLIES
Community Member

Re: Distributed CME over IPSEC

Sorry, everyone. Just realized that I postsd this under "video"... Thought I read "voice over IP.)

Moderator - If it can be moved, please move to "IP Telephony"

Thanks,

-Dave

Hall of Fame Super Gold

Re: Distributed CME over IPSEC

No they don't move threads here :)

[EDIT yes they do :) ]

Anyway doesn't matter. Well as I am here telling you the above, going to your question, I think you have to diagnose first if you are really passing everything on the VPN. The pixes are the ones that must be looked into. there are multiple access lists that you have to set, to make a really any to any VPN. remember that with pix packets cannot re-enter vpn from inside, so it must be full mesh. Check if anything against UDP in ACL

So in end the thread could belong more to "security" :)

Community Member

Re: Distributed CME over IPSEC

One hurdle is passed. with h323-gateway voip bind src address and h323-gateway voip inter on the inside CME router interface, calls are made and voice is heard across.

Now need to get the VM and XFER working...

Thanks

-Dave

163
Views
0
Helpful
3
Replies
CreatePlease to create content