SIP IP Phone issue via VPN  

  RSS

khaled
(@khaled)
New Member
Joined: 1 month ago
Posts: 4
11/11/2019 7:39 am  

Hello All,

 

My config is like that:

 

SIP Cisco Phone---> firewall--> Internet--> firewall---> ASA-->local LAN--> CUCM

                                    |----------VPN IPSec---------------|

I have 2 users that using VPN to access  from outside to inside thy pass via the above config ( 2 SIP IP phones)

I can see the two phones are registered with call manager and they have their IP address from CUCM.

I looked into the firewall everything is allowed to these IP phones (rule: from their VPN--> to any) the phone ring but after picking the call there is silence (no voice from both sides).

I looked on ASA I found that the SIP is dropped down, I create a rule to all SIP traffic in outside & inside, also i allowed HTTP & https to access to the web interface of this IP Phones, but the web interface doesn't display even I allowed this in call manager.

 

Info:

IP Phone PMD IP 172.31.1.6

CUCM IP 192.168.1.124

CUCM IP 192.168.1.123

My laptop: 192.168.1.136

ASA Logs:

Pre-allocate SIP NOTIFY TCP secondary channel for outside IP_PHONE_PMD_8845/49680 to inside CUCM_123 from 200 message

302014 IP_PHONE_PMD_8845 192.168.1.136  Teardown TCP connection 17108989 for outside:IP_PHONE_PMD_8845/80 to inside:192.168.1.136/53802 duration 0:00:00 bytes 0 TCP Reset-O

IP_PHONE_PMD_8845   Pre-allocate SIP Via TCP secondary channel for inside:192.168.1.124/5060 to outside:IP_PHONE_PMD_8845 from ACK message

would you please help me with that.

 

Thank you.


Quote
Pasha Teplitsky
(@pasha)
Member Admin
Joined: 4 years ago
Posts: 20
11/11/2019 3:13 pm  

Hi Khaled,

From the info you have provided, it seems like the problem is either with the FW/VPN device or with SIP ALG on the ASA.

What I suspect happens here is that one of the devices is replacing the IP address inside the SDP header of the SIP message.
This header includes the information that tells the phone where to send RTP to. 

SIP ALG (App Level Gateway) is a generic name for that functionality.

The first thing that you have to do is to find which device replaces the IP address in the SIP header.
To do that, we have to look at the SIP session of the call setup in the CUCM.

Please post the output here so we can figure it out.

I don't want to sound pushy, but this is exactly the things we go through step by step in the SIP course.


ReplyQuote
khaled
(@khaled)
New Member
Joined: 1 month ago
Posts: 4
12/11/2019 7:51 am  

@pasha

Hello Pasha,

Thank you for your replay.

Attached the requested RTMT trace SIP calls.

 

Thank you.


ReplyQuote
Pasha Teplitsky
(@pasha)
Member Admin
Joined: 4 years ago
Posts: 20
13/11/2019 2:46 pm  

Hi Khaled,

What we can see is that phone B (172.31.1.6) sends a ringing response (attached image- SIP ladder diagram 1) at 15:46:36

The next message is a Cancel message from CUCM (attached image- SIP ladder diagram 2) at 15:46:49

The Cancel message makes sense, CUCM waits for 13 seconds for another message (200 OK) that would indicate that someone has picked up the phone, but it never comes, thus the request is canceled.

If someone does pick up the phone, CUCM never gets the message, and this is what you have to investigate in your network.

Can you packet trace on the ASA or the VPN concentrator to see where this 200 OK message drops?

 
This post was modified 4 weeks ago 2 times by Pasha Teplitsky

ReplyQuote
khaled
(@khaled)
New Member
Joined: 1 month ago
Posts: 4
15/11/2019 7:13 pm  

@pasha

Hi Pasha,

 

I tried with enabled inspection of SIP on ASA and with disabled SIP inspection but didn't find there drop of 200 OK messages, attached the log, and I'm in VPN concentrator checking if the drops are there.

I'll keep you updated   


ReplyQuote
Pasha Teplitsky
(@pasha)
Member Admin
Joined: 4 years ago
Posts: 20
17/11/2019 9:35 am  

Hi Khaled,

It's an hour-long log.
Please try to be specific on the exact times of when you try what.

I do see drops of 202 Accepted messages.

Also, as far as I know, you can get real packet capture from the incoming leg and from the outgoing leg.
So you can actually compare packet to packet- what comes in and what goes out.


ReplyQuote
khaled
(@khaled)
New Member
Joined: 1 month ago
Posts: 4
19/11/2019 7:53 am  

@pasha

Hello Pasha,

Attached the short captures requested, also not that I can't open the web interface of the SIP even it has an IP address from CUCM and we interface is enabled in CUCM, I'm still tracing the phone in the VPN tunnel.

Regards 


ReplyQuote
Share:

Please Login or Register