Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Delayed Call set up using Jabber over Checkpoint via VPN.

I have been tasked with setting up Jabber for our clients so they are able to make and recieve calls when connected to our network via VPN using a Checkpoint firewall. I have turned SIP inspection off on the firewall as it was dropping packets due to "illegal sip redirection" and the call will now connect however not how I would expect it too.

This is what happens..

1 ) Call is made from Jabber client connected via VPN to Cisco phone.

2 ) Cisco phone rings but Jabber user doesnt hear calling tone for a couple of seconds.

3 ) Cisco phone answers but hears nothing on over end.

4 ) Jabber user continues to hear calling tone for 2-3 seconds then call connects

5 ) Two way audio, call connected.

This is an example of the messaging, which also does not look correct to me...

Timestamp                 Node / Interface   Device IP       Direction   Protocol   Message Name               Call Ref / ID                                      

11/01/2013 14:11:57.691   10.100.1.73       10.190.50.110   In          SIP        INVITE            9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:11:57.692   10.100.1.73       10.190.50.110   Out         SIP        100 Trying     9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:11:57.698   10.100.1.73       10.190.50.110   Out         SIP        180 Ringing    9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:02.500   10.100.1.73       10.190.50.110   In          SIP        REFER          9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:02.500   10.100.1.73       10.190.50.110   Out         SIP       202 Accep   9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:03.014   10.100.1.73       10.190.50.110   In          SIP        REFER          9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:03.015   10.100.1.73       10.190.50.110   Out         SIP        202 Accep   9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:03.522   10.100.1.73       10.190.50.110   In          SIP        REFER          9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:03.523   10.100.1.73       10.190.50.110   Out         SIP        202 Accep   9cb70d8b-36800028-00003d87-00003127@10.190.50.110  

11/01/2013 14:12:10.497   10.100.1.73       10.190.50.110   Out         SIP        200 OK         9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:10.998   10.100.1.73       10.190.50.110   Out         SIP        200 OK         9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:12.006   10.100.1.73       10.190.50.110   Out         SIP        200 OK         9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:14.022   10.100.1.73       10.190.50.110   Out         SIP        200 OK         9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:16.946   10.100.1.73       10.190.50.110   In          SIP        ACK            9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:21.370   10.100.1.73       10.190.50.110   In          SIP        NOTIFY         00005d44-0000055f@10.190.50.110                    

11/01/2013 14:12:21.371   10.100.1.73       10.190.50.110   Out         SIP        200 OK         00005d44-0000055f@10.190.50.110                    

11/01/2013 14:12:21.551   10.100.1.73       10.190.50.110   In          SIP        BYE            9cb70d8b-36800065-0000602c-000065be@10.190.50.110  

11/01/2013 14:12:21.555   10.100.1.73       10.190.50.110   Out         SIP        200 OK         9cb70d8b-36800065-0000602c-000065be@10.190.50.110

Please let me know if there is any other traces which may be useful.

7 REPLIES
New Member

Delayed Call set up using Jabber over Checkpoint via VPN.

We are still having this issue. Any input would be appreciated.

Delayed Call set up using Jabber over Checkpoint via VPN.

Sounds like your firewall is still actively part of the signalling path.

the debug that you have added in your initial post, is that between fw and VPN client?  and where do these 10.100.1.73       10.190.50.110 live?

can you attach a trace of a call attempt on CUCM, using RTMT (Call manager>Call Process>SIP activity, make sure you have detailed tracing enabled).

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

New Member

Delayed Call set up using Jabber over Checkpoint via VPN.

Thanks for response, 10.100.1.73 is a CM Subscriber and 10.190.50.110 is the VPN client which jabber is being used from. 10.100.1.79 is the CUPS. It is a cut down trace from CM.

I will attatch traces now... (IP addressing is obviously changed)

Delayed Call set up using Jabber over Checkpoint via VPN.

Thanks for that.  looking at the SIP traces, I dont see the FW in the path.

there is an INVITE coming from your CSF device-, followed by TRYING, and then RINGING (sent by CUCM to Jabber), which is then followed by a REFER sent from Jabber to CUCM (6 sconds after the initial invite).  normally there should be an ACK to signal the call is being established.

what is interesting is the error message that preceeds the REFER:

14:12:02.397 |MmmanService - ERROR  Too many calls to decrementTotalNumberOfRegisteredCallingEntities, Already at zero.|*^*^*

14:12:02.409 |MmmanService - ERROR  Too many calls to decrementTotalNumberOfRegisteredCallingEntities, Already at zero.|*^*^*<--------------

this would could explain the REFER. but even so that would be the technical symptomisation of what you already pointed out.

Just to be 100% sure, does this work when Jabber is within the network and NOT on the VPN? 



=============================
Please remember to rate useful posts, by clicking on the stars below. 

=============================

Please remember to rate useful posts, by clicking on the stars below.

New Member

Re: Delayed Call set up using Jabber over Checkpoint via VPN.

Im not sure the MmmanService errors are relevent to the actual call.

The main thing that bugs me is the four 200OK w/ SDP messages sent from CM to the jabber client after the call is answered by the cisco phone. In my opinion this is what's delaying the two way audio establishement.

I am sure its something obvious but Im unable to see what the 200OK messages are in responce to...

Delayed Call set up using Jabber over Checkpoint via VPN.

Josh,

does this particular client work in a non-VPN scenario?

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

New Member

Delayed Call set up using Jabber over Checkpoint via VPN.

Yes it works fine when on the LAN. But that also then discounts the firewall which isnt used in that circumstance. I'll have another look and try to see what those 200 messages are in responce too.

1375
Views
2
Helpful
7
Replies
CreatePlease login to create content