Solved: VoIP Phone behind a Cisco 881 IPSec VPN - call terminate after 5 minutes

Wolfgang Maier · ‎12-28-2009

Hello,

I do need help.

If have a Cisco Router 881 with configured ipsec VPN to a central router. When I connect a phone (without any QoS) I can Log on (on the phone) and I can set up a call. The call establish and I can talk about 5 minutes. After this time range (4-6 minutes) I get a termination of my voip connection. My data connection is tested by a ping through the vpn tunnel and it works without any failure.

Some help will be appreciated.

Thanks

Wolfgang

Giuseppe Larosa · ‎01-08-2010

Hello Wolfgang,

now I see this is a newer router and so the new licensing aspects apply sorry for my basic note.

About QoS for VoIP:

I would change the configuration to have not a simple IPSec tunnel but a point to point GRE tunnel that is protected by IPSec.

This gives a tunnel interface object where:

you can run a routing protocol of choice to connect central site, this is helpful for troubleshooting

and/OR you can apply QoS.

you can control how your traffic is sent to the internet and you have limited control on what you receive on branch.

But the same is true for central site.

you need to know what are the available bit rates in direction branch to central office and central office to branch.

if it is supported and it should be, a hierarchical two levels Qos is good:

a parent policy that shapes all traffic to a rate <= effective rate in outbound direction

a child policy invoked by parent policy that implements a scheduler with a priority queue (low latency queue) for VOIP RTP bearer channel and some other normal queues for data traffic. VOIP signalling traffic can have its own class or it can be classified and put into priority queue.

You need also to calculate based on codec in use (G.729 probably that takes 24 kbps per conversation considering only IP overheads) how many conversations can be allowed at the same time. This is call admission control and it is very important to achieve good quality.

This needs to be configured on IP PABX controlling phones.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎12-28-2009

Hello Wolfgang,

without seeing your configuration it is difficult to say something meaningful.

Remove all username/pwds, mask public ip addresses and post your configuration using the attach option.

Hope to help

Giuseppe

Wolfgang Maier · ‎01-08-2010

Hello Guiseppe,

it took a short time to get the information, because of vacation (!)

Here an overview of my network

Network Company Network

172.19.89.232 172.20.0.0/24 and 172.18.0.0/24 and 192.168.101.0

______===================VPN-Tunnel================__________

----------|C880 |------PPPoE-DSL------------------Internet-Cloud------------------------------|Cisco1840|-------------IP-Mediagateway

DHCP for

Clients is working fine

CiscoRouter-172.19.89.233

The VPN Tunnel is working fine (nearly - I can't ping from C880 to any address of the Company, but I can ping from the company to direct Router 172.19.89.233 - but I can administrate via ssh to the C880 Router [there is anything strange])

ADSL with PPPoE is working fine.

Here is my config

Building configuration...

Current configuration : 5642 bytes
!
! Last configuration change at 08:54:46 CET Fri Jan 8 2010 by maierw
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hap-maierw
!
boot-start-marker

boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$DIZM$m.TYdiDycjHXJErEMQdFr0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1
clock summer-time europe recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3628147544
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-362878903
revocation-check none
rsakeypair TP-self-signed-362878903
!
!
crypto pki certificate chain TP-self-signed-362878903
certificate self-signed 02
3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363238 31343735 3434301E 170D3039 31323233 30383135
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36323831
34373534 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
41C70203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13686170 2D6D6169 6572772E 616B6462 2E6E6574 301F0603
551D2304 18301680 14874900 37B43EDA 5745A530 9E08F427 A1552542 38301D06
03551D0E 04160414 87490037 B43EDA57 45A5309E 08F427A1 55254238 300D0609
2A864886 F70D0101 04050003 81810032 8F64C001 1D6A70BA B402ABB3 422BBA84
AF08615E 17695357 33402A8F C00FF92B 936990F5 26FE33A6 B5A6E7E1 0B6DCA18
6412A7BD AF6A9DD4 0FB050F1 A0B8F34F 904223BA 9FF27361 209A510B 3DF34AD9
253C2956 C423EF2C 570BDB99 364A9944 A6CDD197 85FE2836 4CCCDEA1 F9675386
D8DDB459 CE8412AD FC05AFEF 5EC2B2
        quit
no ip source-route
ip dhcp excluded-address 172.19.89.233
!
ip dhcp pool ccp-pool
   import all
   network 172.19.89.232 255.255.255.248
   default-router 172.19.89.233
   dns-server 172.18.3.27 172.18.35.3
   domain-name akdb.net
   option 43 hex 1145.7269.6373.736f.6e20.4950.2d50.686f.6e65.010b.3137.322e.3230.2e35.2e31.35
   lease 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name akdb.net
no ipv6 cef
!
!
license udi pid CISCO881-SEC-K9 sn FCZ1350922X
!
!
username **** privilege 15 secret 5 ********
!
!
ip tcp synwait-time 10
ip ssh version 2
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key ***** address 1.2.3.4
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set abcd esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.2.3.4
set security-association lifetime seconds 1800
set transform-set abcd
set pfs group2
match address 130
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.19.89.233 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
interface Dialer1
description ADSL Interface
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname **********
ppp chap password *************
ppp pap sent-username ************
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map vpn
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
logging trap debugging
access-list 130 permit ip 172.19.89.232 0.0.0.7 192.168.101.0 0.0.0.128
access-list 130 permit ip 172.19.89.232 0.0.0.7 172.20.0.0 0.0.255.255
access-list 130 permit ip 172.19.89.232 0.0.0.7 172.18.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
snmp-server community *********** RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 60 0
password ******************
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp peer 192.153.103.104
ntp peer 192.53.103.108
end
And I recognized that I boot with file c880data-universalk9-mz.150-1.M.bin

I downloaded this file c880voice-universalk9-mz.150-1.M.bin but this won't work on boot.

Some help would be appreciated.

Thanks in advance

Wolfgang

Giuseppe Larosa · ‎01-08-2010

Hello Wolfgang,

no problem at all

>> I can't ping from C880 to any address of the Company

Have you tried to use an extended ping? with extended ping you can specify a source address = lan address. With your current configuration a standard ping uses as source the dialer interface ip address that is received in IPCP negotiation.

>>

I downloaded this file c880voice-universalk9-mz.150-1.M.bin but this won't work on boot.

by default an IOS router boots using first image it finds on flash

use dir flash: to see filesytem

you need a command like

boot system flash c880voice-universalk9-mz.150-1.M.bin

you need to save the configuration and at next reload it should use the newer image.

About the original problem, central site IP phones have IP addresses that are included in ACL 130, otherwise the call could not start.

This issue is more difficult to troubleshoot. The configuration looks like correct.

What kind of IP phones are you using?

I guess they are not Cisco IP phones I don't see option 150 under DHCP pool configuration.

Is the line

option 43 hex 1145.7269.6373.736f.6e20.4950.2d50.686f.6e65.010b.3137.322e.3230.2e35.2e31.35

related to the IP phones in use?

We use it for Cisco lightweight access points

If the phone has a PC port and replicates traffic to it, it may be wise to perform a packet capture to see what happens

Hope to help

Giuseppe

Wolfgang Maier · ‎01-08-2010

Hello Guiseppe,

thank you for your quick responde.

Extended Ping is working so that it is indeed exactly my problem, when I do a normal ping -> Thanks. (it works)

To boot the router from the Voice IOS is not working. A failure in boot says, that the IOS is not working on this plattform. I found a documentation that shows, that the voice IOS is not working on Cisco 880 Plattform only on 890 (?!)

http://www.cisco.com/en/US/prod/collateral/routers/ps380/white_paper_c11_499859.html (follow Table 1)

We have Ericsson Dialog 4425 phones and we use ip option 43 (but this also a mistake not working). I have tried to set (by dhcp option) the software server for my phone ip option 43 hex ... (like it is describe in the phone docu, but I'm not sure on it - we tried also on a windows dhcp server [yesterday] and got the same error -> something wrong in the documentation (perhabs)?])

What is normaly configured to get Qos oder RTP priorisied thrue the vpn tunnel ?

Thanks

Wolfgang

Giuseppe Larosa · ‎01-08-2010

Hello Wolfgang,

now I see this is a newer router and so the new licensing aspects apply sorry for my basic note.

About QoS for VoIP:

I would change the configuration to have not a simple IPSec tunnel but a point to point GRE tunnel that is protected by IPSec.

This gives a tunnel interface object where:

you can run a routing protocol of choice to connect central site, this is helpful for troubleshooting

and/OR you can apply QoS.

you can control how your traffic is sent to the internet and you have limited control on what you receive on branch.

But the same is true for central site.

you need to know what are the available bit rates in direction branch to central office and central office to branch.

if it is supported and it should be, a hierarchical two levels Qos is good:

a parent policy that shapes all traffic to a rate <= effective rate in outbound direction

a child policy invoked by parent policy that implements a scheduler with a priority queue (low latency queue) for VOIP RTP bearer channel and some other normal queues for data traffic. VOIP signalling traffic can have its own class or it can be classified and put into priority queue.

You need also to calculate based on codec in use (G.729 probably that takes 24 kbps per conversation considering only IP overheads) how many conversations can be allowed at the same time. This is call admission control and it is very important to achieve good quality.

This needs to be configured on IP PABX controlling phones.

Hope to help

Giuseppe