Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EX90 connected over VPN tunnel to CUCM ?


Looking for input on using an EX90 at a home office. They want to use a hardware VPN and connect the EX90 to a Cisco 881 router. The EX90 will be registered with CUCM 8.6

Presently this is setup, and the EX90 is registered with the CUCM. Ihave two current issues

1) When the home office EX90 calls an EX90 in the campus, they never get ringback and the call fails to connect. We've looked at all the firewalls and ACL's and I've been assured they are configured to allow traffic from and to the subnets for the CUCM, and the endpoints.

2) The EX90 then unregisters and will not attempt to re-register with CUCM.

CUCM traces show the following for the unregister event.

Device unregisters

17:30:37.673 |EndPointUnregistered - An endpoint has unregistered Device name:SEP00506006F5B9 Device IP address: Protocol:SIP Device type:584 Device description:Robert-EX90 Reason Code:13 IPAddressAttributes:0 LastSignalReceived:SIPStationDPrimaryLineTimeout CallState:17075772195-call_received7 App ID:Cisco CallManager Cluster ID:Agilent-TP-CUCM Node ID:scstpcucm02|AlarmSEP00506006F5B9^*^SEP00506006F5B9

Any thoughts on why the device would not continue to resent registration requests once it has unregistered?



Everyone's tags (6)
VIP Super Bronze

EX90 connected over VPN tunnel to CUCM ?

A packet capture for the EX90 call attempt and subsuqient unregistering from CUCM would be enlightening here. I suggest running it from CUCM using the utils network capture command. This will show you what is happening to the SIP packets after they have crossed the network. You may also need to run one from the EX90 side to see what happens to the replies from CUCM after they have crossed the network.

My first guess would be protocol inspection on an ASA/ZBFW which is looking at the SIP dialog and messing with the headers. For example, if the ASA is doing NAT on the egress interface of the VPN traffic it's possible that it's modifying the IP address in the headers to an external IP instead of leaving the pre-NAT (tunneled) IP in place.

Without PCAP files it's hard to do more than guess here.

Please remember to rate helpful responses and identify helpful or correct answers.

CreatePlease login to create content