Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Phones resetting if CME is behind a Firewall

I have a CME in my central site connected directly to a Checkpoint firewall with internet connection. I have a remote site with IP Phones trying to register to the CME using a L2L VPN between sites.

I had a watchguard firewall before and I was having the same problems, the IP Phones register and then they reset several times a day. I don't know if theres a parameter or timeout that needs to be changed in order for the phones to wrk correctly.

Anybody with the same problem?

Jose.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IP Phones resetting if CME is behind a Firewall

Joser,

Phones unregistere if either SCCP or TCP keepalive timeout for IP Phone. Obviously, eeither packets are being lost/blocked/delayed when firewall is in picture. For a permanent you might want to work on Firewall and capture packet capture from Phone, Firewall and CME.

Any time the phone sends a TCP packet to the CME and does not receive a TCP Ack,  The phone will retransmit the packet at decreasing intervals until the session is timed out (phone sends TCP RST) and at that point the phone will unregister.

The SCCP keepalives are sent at regular intervals, based on a value  presented to the phone during registration (30 seconds by default). If the phone gets a TCP ack for the keepalive, but no SCCP keepaliveAck from the CME then you can get into the situation where the phone unregisters due to keepalive timeout (after 2 or 3 such missed keepaliveAcks).

So a phone can unregister because of either TCP timeout or SCCP timeout. You can not control TCP timers but can change SCCP timeout.

Under telephony-service increase SCCP timeout from a default of 30 seconds to something more.

!

telephony-service

keepalive 60

!

Check

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_k1ht.html#wp1013971

If the phone is getting unregistered due to TCP timeout, then you need to fix the issue with firewall first. Above will only increase SCCP keepalive timer.

HTH

6 REPLIES
New Member

Re: IP Phones resetting if CME is behind a Firewall

I forgot to add when I remove the firewalls, everything works flawlessly. Also the same problem  ocurr using private leased lines.

Best,

Jose.

New Member

Re: IP Phones resetting if CME is behind a Firewall

are you allowing port 2000 on our firewall?

Cisco Employee

Re: IP Phones resetting if CME is behind a Firewall

Joser,

Phones unregistere if either SCCP or TCP keepalive timeout for IP Phone. Obviously, eeither packets are being lost/blocked/delayed when firewall is in picture. For a permanent you might want to work on Firewall and capture packet capture from Phone, Firewall and CME.

Any time the phone sends a TCP packet to the CME and does not receive a TCP Ack,  The phone will retransmit the packet at decreasing intervals until the session is timed out (phone sends TCP RST) and at that point the phone will unregister.

The SCCP keepalives are sent at regular intervals, based on a value  presented to the phone during registration (30 seconds by default). If the phone gets a TCP ack for the keepalive, but no SCCP keepaliveAck from the CME then you can get into the situation where the phone unregisters due to keepalive timeout (after 2 or 3 such missed keepaliveAcks).

So a phone can unregister because of either TCP timeout or SCCP timeout. You can not control TCP timers but can change SCCP timeout.

Under telephony-service increase SCCP timeout from a default of 30 seconds to something more.

!

telephony-service

keepalive 60

!

Check

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_k1ht.html#wp1013971

If the phone is getting unregistered due to TCP timeout, then you need to fix the issue with firewall first. Above will only increase SCCP keepalive timer.

HTH

New Member

Re: IP Phones resetting if CME is behind a Firewall

Awesome,  thank  you very mucho for your help.

Best regards,

Jose

Hall of Fame Super Gold

Re: IP Phones resetting if CME is behind a Firewall

I think you will find that changing SCCP timouts will not have any effect, however let us know if it does.

,

New Member

Re: IP Phones resetting if CME is behind a Firewall

Hi All,

Im also facing the same kind of issue and having the same topology. I have increased the keepalive upto 60 but the phones are still resetting in the middle of the conversation between 2 - 3 mins.

The phone is not resetting if there is no call. IF i try to call HQ ext around 2nd or 3rd min the phone is displaying CM down and the phone is start to reset. Can any one help me on this.

2025
Views
0
Helpful
6
Replies