Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA IPSEC VPN Drops/Resets Cisco Phones

We have a pair of ASA5520's and are running IPSEC L2L VPN tunnels to 851 routers that have Cisco 7940/7960 phones connected to them. Frequently the phones will lose registration with the CM's or reboot. Currently the fixup skinny protocol inspection is enabled for port 2000 on the ASA's.

7 REPLIES
New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Still no feedback on this...anyone?

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Hi

I am not sure about how the phones talks to the Server, but as of my knowledge, IPSEC tunnel may have problem with mutlicast protocols, why dont you try enabling GRE tunnel over IPSEC?

it may helps

Regards

Reddy

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Any luck fixing this? I'm having a similar issue.

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Yes, I opened a TAC case about this last year, and the Engr and I found via packet captures that there was a bug that caused the skinny packet inspection to send packets out of order. Cisco implemented a bug fix in newer code. We have since upgraded to 7.2.3 and that solved our problem.

What version of code on you running?

Help this helps for you.

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Interesting...so even with routing the traffic via the VPN the skinny packet inspection was an issue? I'm running 7.2.2 on the remote ASA and 12.4.11XJ on my CME router, so you might have hit the nail on the head.

I also realized last night that my IPSEC lifetime values were mismatched (defaults differ between ASA and router) and that one end was forcing a rekey every 60 min, so I adjusted them to match.

We'll see how it runs and use your fix as the next runner up. Big thanks for the reply.

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Yes we had specific problems with VPN skinny traffic that terminated on the ASA hub firewall. I believe the fix for the skinny inspection bug was fixed after 7.2.2(8), but that was months ago. Also, your timer mismatches can be an issue as your tunnels may drop during rekeying, causing the phone to drop rtp streams and re-register.

I found with our problem that I was able to repeat the problem by having the remote phone setup a conference call. The moment the second call arrived to the phone, it reset and was a repeatable problem.

I hope this helps...

-Scott

New Member

Re: ASA IPSEC VPN Drops/Resets Cisco Phones

Good test!

Thanks again!!

222
Views
8
Helpful
7
Replies
CreatePlease to create content