Remote site IP phones are not registering even the L2L VPN Tunnel is up
I have an IP Telephony setup with CME 9.1 (2921 router) and having 4 remote sites connected with site to site VPN.
All the remote site phones are connected to main office Call Manager Express.Each site including 3 Cisco IP Phones only.We are having dedicated 1 MBPS link connectivity for each remote sites to main office.
Each remote site set up is like this , having dedicated ASA's (5505 version 9.0) and we configured DHCP server on ASA and phones are getting IP from the ASA. We have only one vlan for Data and Voice in remote location because ASA license is base license.
Main office setup like this we are having 2 internet lines and its terminated on Cyberroam firewall and from cyberroam we are connected to ASA 5505.
ASA its connected to Call Manger Express.Cyberroam engineer opened the ports for VPN (500 and 4500) to our ASA outside IP.
Problem is that, once tunnel is up, i can ping from main office to branch office. if we are connecting phone to ASA's POE Port IP Phones will get the IP from ASA and will register phone to main office CME ( We have given TFTP Server IP in the ASA DHCP Server configuration). After registering the phone i can make the calls to main office and outside.
After sometimes (30 minutes or 1 hour or more) phones will get unregistered and its trying to connect the TFTP Server. that time when i checked in the ASA for VPN. I can see Tunnel is up. But when i checked IPSEC Packet details from the main office IPSEC Packets are encap & decaps and encrypt and decrypt. when i checked in the main office Tunnel is up and IPSec packet only encap and decap there is no encrypt and decrypt, at the same time i can browse, that means there is no issue with internet.
Once we are restarting the ASA, phone will get connected with the Main branch CME and as I mentioned earlier the issue will come agin after sometime.
I removed all the phones in one remote branch and connected only one PC and its working fine without any issue.I do continously ping from remote
site PC to main office PC for 3 days and its working fine.
Attached is the configuration for the Main office and branch office ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...