I have a huge problem. In remote office we have 20 phones (7940). The VPN is between remote office and us.
I can see that some of the phones makes a lot of traffic, but no one is calling and no one is there with PC connected to the phone.
When I look at the previuse months the traffic did not existed.
What can be a problem?
hello I think, that your problem is QoS
this Link can help you
I don not think so. Because the traffic is made by IP Phone. RTP stream goes only in one direction - from phone to the through the VPN to our main Voice gateway. I did not mentioned that no one is using the phones and no device is attached to the phone.
QoE is built on the remote site, at main we have PIX and PIX do not support QoS.
Have you made sure that you have no viruses in your network? The recent viruses apparently can cause high volumes of traffic and only appeared last month?
The problem is, that traffic is RTP stream from phone to the main office gateway and goes from phone to the gateway, but from the gateway there is no RTP stream. I have say that at the time no one is sitting behind the phone (phone is idle), no conversation is made by phone, but stil there is a lot off traffic.
When I reset the phone the traffic will fall, but in some tme it will rise again.
Sounds very strange.
I would like to see the output from a sniffer trace attatched to the phone and see exactly what is happening.
Is it a large quantity or a large frequency of traffic?
Have you considered that this is keepalive traffic from the phones? they will communicate keepalives every 30 seconds with their primary call manager and 60 seconds with their secondary/other call managers -by default.
You can verify the amount of traffic via trace on the call manager.
Show us some sniffer trace output from the phones that are supposed to be be sending phantom udp traffic.
do some debugs on the GW start with debug ccapi in out and evaluate the output.
Also have detailed trace turned on in CM and search for the ext 3... to see whats happening.
If they are voice calls you will see them in the cdr on CM.
Even though the user isnt on a call if the user hits the information button on phone what does he see during the phantom traffic period ?
Phones arent going to send udp traffic without a call being setup through CCM. keepalives are sent using SCCP on TCP port 2000 TFTP uses UDP.
Get a dump of the output this way you know exactly whats happening and can open a TAC case if you cant resolve it.
All the best.
I have a network monitor capture. The traffic is captured on Cisco Router 1760. I can e-mail you trace, but it is 4 MB large file.
In the trace I can see only RTP stream from certain phones to main office router.
The funny think is that when I reset the phones the traffic stops for 2 to 3 hours, but after that traffic begins to rise.
What can I do?
I have sent you Network monitor capture files from Callmanager, because this traffic started to show between CM and 2621 router (RTP stream).