Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Two remote AnyConnect clients cannot get two way voice via softphones?

We have a situation where two remote SSL VPN users cannot establish a voice call via soft phones or cookie lync. They can both talk but cannot hear the other. Each user can call external or to the office LAN without issues. 

I'm running ASA version 9.1(5) and AnyConnect v.3.1.05170. Pretty basic config (sanitized) - Any help would be appreciated!

# sh run
: Saved
:
ASA Version 9.1(5)
!
hostname device
domain-name something.com
enable password  encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
ip local pool general-pool 10.x.x.x-10.x.x.y
ip local pool it-ops-pool 10.y.y.y - 10.y.y.z 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/1
 description Inside interface
 nameif inside
 security-level 100
 ip address y.y.y.y y.y.y.y
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
banner login ***********************************************************************
banner login !! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGIN UNDER PENALTY OF LAW !!
banner login This is a private computer network and maybe used only by direct
banner login permission of its owner(s). The owner(s) reserves the right to
banner login monitor use of this network to ensure network security and to respond
banner login to specific allegations of misuse. Use of this network shall
banner login constitute consent to monitoring for these or any other purposes.
banner login In addition, the owner(s) reserves the right to consent to a valid
banner login law enforcement request to search the network for evidence of a crime
banner login stored within the network.
banner login ***********************************************************************
banner asdm ***********************************************************************
banner asdm !! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGIN UNDER PENALTY OF LAW !!
banner asdm This is a private computer network and maybe used only by direct
banner asdm permission of its owner(s). The owner(s) reserves the right to
banner asdm monitor use of this network to ensure network security and to respond
banner asdm to specific allegations of misuse. Use of this network shall
banner asdm constitute consent to monitoring for these or any other purposes.
banner asdm In addition, the owner(s) reserves the right to consent to a valid
banner asdm law enforcement request to search the network for evidence of a crime
banner asdm stored within the network.
banner asdm ***********************************************************************
boot system disk0:/asa915-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.0.0
 name-server 192.168.0.0
 domain-name something.com
access-list Local_LAN_Access standard permit host 0.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging buffered notifications
logging trap notifications
logging history errors
logging asdm notifications
logging device-id hostname
logging host inside 10.0.0.0
logging host inside 10.0.0.0
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any inside
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.0.0.0 y.y.y.y 1
route inside 192.168.0.0 255.255.0.0 y.y.y.y 1
route inside 0.0.0.0 0.0.0.0 y.y.y.y tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map test_VPN
  map-name  memberOf Group-Policy
  map-value memberOf "CN=test VPN,OU=VPN Groups,OU=Groups,OU=company,DC=,DC=,DC=com" "test VPN"
dynamic-access-policy-record DfltAccessPolicy
aaa-server test-deviceauth protocol ldap
 max-failed-attempts 5
aaa-server baird-deviceauth (inside) host 192.x.x.x
 server-port 636
 ldap-base-dn DC=x,DC=y,DC=z
 ldap-scope subtree
 ldap-login-password 
 ldap-login-dn cn=b,OU=Service Accounts,DC=x,DC=y,DC=z
 ldap-over-ssl enable
 server-type microsoft
aaa-server test-rsa protocol sdi
aaa-server test-rsa (inside) host 
 retry-interval 3
aaa-server tes-ldap-auth protocol ldap
aaa-server test-ldap-auth (inside) host 
 server-port 636
 ldap-base-dn DC=country,DC=something,DC=com
 ldap-scope subtree
 ldap-login-password
 ldap-login-dn CN=b,OU=Service Accounts,DC=x,DC=y,DC=z
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map test_VPN
user-identity default-domain LOCAL
aaa authentication ssh console baird-deviceauth LOCAL
aaa authentication http console baird-deviceauth LOCAL
aaa authentication serial console baird-deviceauth LOCAL
http server enable
http x.x.x.x y.y.y.y inside
http 1.1.1.1 255.255.255.0 inside
http redirect outside 80
snmp-server host inside x.x.x.x trap community  version 2c
snmp-server location 
snmp-server contact 
snmp-server community 
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps entity power-supply cpu-temperature
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpncso-selfsigned-trustpoint
 enrollment self
 fqdn 
 subject-name CN=,O=,C=,St=,L=
 keypair 
 crl configure
crypto ca trustpoint 
 enrollment terminal
 crl configure
crypto ca trustpoint 
 enrollment terminal
 fqdn 
 subject-name CN=,OU=,O=,C=,St=,L=
 keypair 
 crl configure
crypto ca trustpoint 
 enrollment terminal
 crl configure
crypto ca trustpoint 
 enrollment terminal
 crl configure
crypto ca trustpoint 
 enrollment terminal
 crl configure
crypto ca trustpool policy


telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh x.x.x.x inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 1.1.1.1 source inside
ntp server 2.2.2.2 source inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 2
 anyconnect profiles baird-client-profile disk0:/baird-client-profile.xml
 anyconnect enable
group-policy DfltGrpPolicy attributes
 banner value !! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGIN UNDER PENALTY OF LAW !!
 banner value This is a private computer network and maybe used only by direct
 banner value permission of its owner(s). The owner(s) reserves the right to
 banner value monitor use of this network to ensure network security and to respond
 banner value to specific allegations of misuse. Use of this network shall
 banner value constitute consent to monitoring for these or any other purposes.
 dns-server value 1.1.1.1 2.2.2.2
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value something.com
 split-dns value something.com, us.something.com
 split-tunnel-all-dns enable
 address-pools value general-pool
 webvpn
  homepage use-smart-tunnel
  anyconnect modules value dart,nam
  anyconnect profiles value baird-client-profile type user
  anyconnect ask none default anyconnect
group-policy "test" internal
group-policy "test" attributes
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 split-tunnel-all-dns enable
 address-pools value it-ops-pool
group-policy testMacs internal
group-policy testMacs attributes
 wins-server none
 dns-server value 1.1.1.1 2.2.2.2
 vpn-tunnel-protocol ssl-client
 default-domain value xyz.com
username admin password  encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group test-rsa
 authorization-server-group test-ldap-auth
 password-management password-expire-in-days 10
tunnel-group DefaultRAGroup webvpn-attributes
 authentication aaa certificate
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group test-rsa
 authorization-server-group test-ldap-auth
 password-management password-expire-in-days 10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 authentication aaa certificate
tunnel-group test-Connect type remote-access
tunnel-group test-Connect general-attributes
 authentication-server-group test-rsa
 authorization-server-group test-ldap-auth
 password-management password-expire-in-days 10
tunnel-group test-Connect webvpn-attributes
 authentication aaa certificate
 group-url http://abc.xyz.com enable
 group-url https://abc.xyz.rwbaird.com enable
tunnel-group testMacs type remote-access
tunnel-group testMacs general-attributes
 authentication-server-group test-rsa
 authorization-server-group test-ldap-auth
 default-group-policy testMacs
 password-management password-expire-in-days 10
 secondary-username-from-certificate use-entire-name
tunnel-group testMacs webvpn-attributes
 group-url http://abc.xyz.com/macs enable
 group-url https://abc.xyz.com/macs enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 26
  subscribe-to-alert-group configuration periodic monthly 26
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aa675139dc84529791f9aaba46eb17f9
: end

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I'll admit I haven't read

I'll admit I haven't read your config in detail, but a few tips:

-if you are doing split tunnel, be sure to push a route to VPN clients for the entire VPN pool subnet or subnets

-be sure to have same-security-traffic permit intra-interface

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

-if you are using NAT you must exclude the inter-VPN-device traffic from such NAT

-if you have ACLs (not shown) be sure to allow your VPN pool subnet to talk to itself.  Generally this would be on the incoming ACL of the outside interface.

in the end packet-tracer is your friend.

NPM

2 REPLIES
New Member

I'll admit I haven't read

I'll admit I haven't read your config in detail, but a few tips:

-if you are doing split tunnel, be sure to push a route to VPN clients for the entire VPN pool subnet or subnets

-be sure to have same-security-traffic permit intra-interface

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

-if you are using NAT you must exclude the inter-VPN-device traffic from such NAT

-if you have ACLs (not shown) be sure to allow your VPN pool subnet to talk to itself.  Generally this would be on the incoming ACL of the outside interface.

in the end packet-tracer is your friend.

NPM

New Member

Thanks Nick  same-security

Thanks Nick 

 

same-security-traffic permit intra-interface was the trick. Working like a champ now. 


EsV

276
Views
0
Helpful
2
Replies
CreatePlease to create content