My config is like that:
SIP Cisco Phone---> firewall--> Internet--> firewall---> ASA-->local LAN--> CUCM
I have 2 users that using VPN to access from outside to inside thy pass via the above config ( 2 SIP IP phones)
I can see the two phones are registered with call manager and they have their IP address from CUCM.
I looked into the firewall everything is allowed to these IP phones (rule: from their VPN--> to any) the phone ring but after picking the call there is silence (no voice from both sides).
I looked on ASA I found that the SIP is dropped down, I create a rule to all SIP traffic in outside & inside, also i allowed HTTP & https to access to the web interface of this IP Phones, but the web interface doesn't display even I allowed this in call manager.
IP Phone PMD IP 172.31.1.6
CUCM IP 192.168.1.124
CUCM IP 192.168.1.123
My laptop: 192.168.1.136
Pre-allocate SIP NOTIFY TCP secondary channel for outside IP_PHONE_PMD_8845/49680 to inside CUCM_123 from 200 message
302014 IP_PHONE_PMD_8845 192.168.1.136 Teardown TCP connection 17108989 for outside:IP_PHONE_PMD_8845/80 to inside:192.168.1.136/53802 duration 0:00:00 bytes 0 TCP Reset-O
IP_PHONE_PMD_8845 Pre-allocate SIP Via TCP secondary channel for inside:192.168.1.124/5060 to outside:IP_PHONE_PMD_8845 from ACK message
would you please help me with that.
From the info you have provided, it seems like the problem is either with the FW/VPN device or with SIP ALG on the ASA.
What I suspect happens here is that one of the devices is replacing the IP address inside the SDP header of the SIP message.
This header includes the information that tells the phone where to send RTP to.
SIP ALG (App Level Gateway) is a generic name for that functionality.
The first thing that you have to do is to find which device replaces the IP address in the SIP header.
To do that, we have to look at the SIP session of the call setup in the CUCM.
Please post the output here so we can figure it out.
I don't want to sound pushy, but this is exactly the things we go through step by step in the SIP course.
What we can see is that phone B (172.31.1.6) sends a ringing response (attached image- SIP ladder diagram 1) at 15:46:36
The next message is a Cancel message from CUCM (attached image- SIP ladder diagram 2) at 15:46:49
The Cancel message makes sense, CUCM waits for 13 seconds for another message (200 OK) that would indicate that someone has picked up the phone, but it never comes, thus the request is canceled.
If someone does pick up the phone, CUCM never gets the message, and this is what you have to investigate in your network.
Can you packet trace on the ASA or the VPN concentrator to see where this 200 OK message drops?
It's an hour-long log.
Please try to be specific on the exact times of when you try what.
I do see drops of 202 Accepted messages.
Also, as far as I know, you can get real packet capture from the incoming leg and from the outgoing leg.
So you can actually compare packet to packet- what comes in and what goes out.