From: Marko Berend (marko.berend@storm.hr)
Date: Thu Dec 11 2003 - 13:22:43 GMT-3
The thing that is most interesting is that PIX is in this case
terminating a VPN tunnel which is supposed to let all traffic through,
no filters applied.
But it seems that it is not pushing voice packets into the tunnel but
drops them without explanation.
-----Original Message-----
From: Kurt Bergsbaken [mailto:kbergsbaken@yahoo.com]
Sent: 11. prosinac 2003 17:13
To: Kurt Bergsbaken; Marko Berend; ccielab@groupstudy.com
Subject: RE: SoftPhone - one way voice over VPN (good src addr)
The fact that the call is getting set up at all, (tcp 1720-21)shows your
routing is working.
--- Kurt Bergsbaken <kbergsbaken@yahoo.com> wrote:
> If it makes you feel any better, this is a very
> common
> condition, we have been fighting the same problem
> with
> a Checkpoint solution for years. There are a number
> of things to look at, first would be whether the PIX
> is equipped to, and configured to handle, and have
> open, the dynamic UDP port allocation from
> 16384-32xxx
> that the RTP streams will run over. I'm not sure I
> can
> remember exactly what it takes to do that on
> Checkpoint, let alone PIX, as it is inherently tied
> to
> stateful inspection. Will likely have to chase the
> RTP stream from the IP Phone (or gateway, depending
> on
> the nature of the call) through each piece of the
> network with a sniffer. Chances are good that the
> PIX
> is blocking the appropriate udp port.
>
>
> --- Marko Berend <marko.berend@storm.hr> wrote:
> > Thanks John, but this is not helping
> > My source address is ok, it is from the VPN range,
> > and the SP is using
> > it as the source address.
> >
> > VPN client 4.x creates a virtual interface in win
> XP
> > so you can see it
> > with "ipconfig", and the SP is properly configured
> > to use this address.
> > For example I get 10.11.0.240 (my LAN is
> > 10.11.0.0/24) and this is the
> > address in SP net configuration.
> > IP phones are on 10.11.3.0/24, but routing is OK,
> > because I can ping
> > them and everything. No access-lists in between .
> I
> > am sure it is not a
> > routing problem
> >
> > But anyway, no voice towards me.
> >
> > This is why I am posting here, it is not trivial.
> >
> > -----Original Message-----
> > From: John Messina [mailto:john@area100.com]
> > Sent: 11. prosinac 2003 11:48
> > To: Marko Berend; ccielab@groupstudy.com
> > Subject: RE: SoftPhone - one way voice over VPN
> > (good src addr)
> >
> >
> >
>
http://www.cisco.com/en/US/products/sw/voicesw/ps1860/products_tech_note
> > 09186a0080094ed1.shtml
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Marko Berend
> > Sent: Thursday, December 11, 2003 5:18 AM
> > To: ccielab@groupstudy.com
> > Subject: SoftPhone - one way voice over VPN (good
> > src addr)
> >
> > Hi to all,
> >
> > I am having trouble with Cisco SoftPhone over VPN.
> > The voice is one way
> > only. I am not getting any traffic from the IP
> phone
> > on the other end.
> > The scenario is this:
> >
>
SPhone-------VPN----------->PIX-------->CM-------->IP
> > Phone 7940
> >
> > The IP address on the SoftPhone is correct in the
> SP
> > network settings
> > (cisco.com says this is the solution but it isn't
> > working still).
> > Everything works fine on the LAN. From VPN I can
> > ping everything, CM,
> > VG, even the IP phone I am calling, but I'm not
> > getting voice traffic
> > from it. When I sniff the traffic I see that
> nothing
> > is coming. From
> > CallManager I can verify that the SoftPhone is
> > registered with the
> > correct IP address. I have also tried modifying
> the
> > MTU on the VPN
> > client but to no avail.
> >
> > CM is 3.1
> > SF is 1.3(3)
> > PIX 6.3(3)
> > VPN client 4.x (I've tried with 3.x also)
> >
> > I suspect that the PIX is making my life
> miserable,
> > but it is not
> > logical. It must be a bug. Any comments or good
> ways
> > to troubleshoot it?
> >
> > Thanks
> >
> > Marko
> >
> >
>
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:39 GMT-3