From: Marko Berend (marko.berend@storm.hr)
Date: Thu Feb 19 2004 - 10:00:45 GMT-3
reminder: softphone via VPN terminated on pix - one way voice problem
(again: the problem is not in the src address)
The same configuration with VPN concentrator 3005 works ok.
IOS router terminating VPN is working ok.
PIX terminating VPN with everything wide open works with one way voice.
Traffic monitoring shows that PIX is blackholing the traffic for no
apparent reason.
Cisco's turn... I think.
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: 11. prosinac 2003 21:29
To: 'Kurt Bergsbaken'; Marko Berend; ccielab@groupstudy.com
Subject: RE: SoftPhone - one way voice over VPN (good src addr)
Very true, but this doesn't necessarily answer whether the udp/rtp ports
are being permitted to come back in. Depends on code version on the PIX
and the configuration thereof as well!
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kurt Bergsbaken
Sent: Thursday, December 11, 2003 11:13 AM
To: Kurt Bergsbaken; Marko Berend; ccielab@groupstudy.com
Subject: RE: SoftPhone - one way voice over VPN (good src addr)
The fact that the call is getting set up at all, (tcp 1720-21)shows your
routing is working.
--- Kurt Bergsbaken <kbergsbaken@yahoo.com> wrote:
> If it makes you feel any better, this is a very
> common
> condition, we have been fighting the same problem
> with
> a Checkpoint solution for years. There are a number
> of things to look at, first would be whether the PIX
> is equipped to, and configured to handle, and have
> open, the dynamic UDP port allocation from
> 16384-32xxx
> that the RTP streams will run over. I'm not sure I
> can
> remember exactly what it takes to do that on
> Checkpoint, let alone PIX, as it is inherently tied
> to
> stateful inspection. Will likely have to chase the
> RTP stream from the IP Phone (or gateway, depending
> on
> the nature of the call) through each piece of the
> network with a sniffer. Chances are good that the
> PIX
> is blocking the appropriate udp port.
>
>
> --- Marko Berend <marko.berend@storm.hr> wrote:
> > Thanks John, but this is not helping
> > My source address is ok, it is from the VPN range,
> > and the SP is using
> > it as the source address.
> >
> > VPN client 4.x creates a virtual interface in win
> XP
> > so you can see it
> > with "ipconfig", and the SP is properly configured
> > to use this address.
> > For example I get 10.11.0.240 (my LAN is
> > 10.11.0.0/24) and this is the
> > address in SP net configuration.
> > IP phones are on 10.11.3.0/24, but routing is OK,
> > because I can ping
> > them and everything. No access-lists in between .
> I
> > am sure it is not a
> > routing problem
> >
> > But anyway, no voice towards me.
> >
> > This is why I am posting here, it is not trivial.
> >
> > -----Original Message-----
> > From: John Messina [mailto:john@area100.com]
> > Sent: 11. prosinac 2003 11:48
> > To: Marko Berend; ccielab@groupstudy.com
> > Subject: RE: SoftPhone - one way voice over VPN
> > (good src addr)
> >
> >
> >
>
http://www.cisco.com/en/US/products/sw/voicesw/ps1860/products_tech_note
> > 09186a0080094ed1.shtml
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Marko Berend
> > Sent: Thursday, December 11, 2003 5:18 AM
> > To: ccielab@groupstudy.com
> > Subject: SoftPhone - one way voice over VPN (good
> > src addr)
> >
> > Hi to all,
> >
> > I am having trouble with Cisco SoftPhone over VPN.
> > The voice is one way
> > only. I am not getting any traffic from the IP
> phone
> > on the other end.
> > The scenario is this:
> >
>
SPhone-------VPN----------->PIX-------->CM-------->IP
> > Phone 7940
> >
> > The IP address on the SoftPhone is correct in the
> SP
> > network settings
> > (cisco.com says this is the solution but it isn't
> > working still).
> > Everything works fine on the LAN. From VPN I can
> > ping everything, CM,
> > VG, even the IP phone I am calling, but I'm not
> > getting voice traffic
> > from it. When I sniff the traffic I see that
> nothing
> > is coming. From
> > CallManager I can verify that the SoftPhone is
> > registered with the
> > correct IP address. I have also tried modifying
> the
> > MTU on the VPN
> > client but to no avail.
> >
> > CM is 3.1
> > SF is 1.3(3)
> > PIX 6.3(3)
> > VPN client 4.x (I've tried with 3.x also)
> >
> > I suspect that the PIX is making my life
> miserable,
> > but it is not
> > logical. It must be a bug. Any comments or good
> ways
> > to troubleshoot it?
> >
> > Thanks
> >
> > Marko
> >
> >
>
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:51 GMT-3