cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1986
Views
0
Helpful
13
Replies

Jabber with ASA AnyConnect spoke to spoke communication

warquezho0612
Level 1
Level 1

Is this possible? like I at home vpn to our main office and try to call my officemate which happens to be at home as well connected via vpn to the main office

Or only I at home calling my main office ip phones thru vpn and my officemate calling our main office ip phones using vpn, and not us calling each other using vpn too our main office?

2 Accepted Solutions

Accepted Solutions

Hi

There's nothing required on the clients - it's most likely your ASA config that is incorrect.

Last time I did this wrong, I missed the VPN client pool addresses from the split tunnel configuration. Adding them to the tunnelled subnets fixed it.

Perhaps post up your config if you are not sure?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

I suspect you might be missing the following command on your ASA: same-security-traffic permit intra-interface

Below is a blurb from the ASA CLI guide about the setting.


View solution in original post

13 Replies 13

Aaron Harrison
VIP Alumni
VIP Alumni

Hi

Yes, you can call other VPN users.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

taufique.shaikh
Level 1
Level 1

Good Day,

You can any vpn user connected to ASA via VPN Tunnel and phone registered with CUCM..!

You an also share data along with voice..!

Thank you

Thanks for the confirmation. Are there any requirements (settings to endpoints and appliance) to all vpn users to call each other when they are connected via anyconnect to the main office? Like bandwidth speed, latency, qos from Main Office to vpn users and vice versa? Because I tried to calling a vpn user when I was on vpn as well, it rings but when he or I answer the call, we can't hear each other, this is no the case when either one of us calls the main office

Hi

There's nothing required on the clients - it's most likely your ASA config that is incorrect.

Last time I did this wrong, I missed the VPN client pool addresses from the split tunnel configuration. Adding them to the tunnelled subnets fixed it.

Perhaps post up your config if you are not sure?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

I suspect you might be missing the following command on your ASA: same-security-traffic permit intra-interface

Below is a blurb from the ASA CLI guide about the setting.


This command saves my day same-security-traffic permit intra-interface. Also Aaron info about allowing the VPN Pool address in split tunneling. I didn't use split tunneling first so I should have no problem but I miss the command dprzywara said, so still a failed call. Overall both info helped me.

Also is qos required on the ASA? And what is the recommended bandwidth required from hub (asa) to spokes (vpn users) and for spoke to spoke communication so users can have a smooth conversation?

Hi

You would not normally configure QoS on an ASA, no. Once the traffic hits the internet it's really out of your control, so all you can do is ensure that both ends are well provisioned.

Aaron

Please rate useful posts and mark 'answered' if appropriate...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

So all we can do is hope that our internet connection is fast and reliable right?

More or less - the issue is that once your traffic is VPNd it's difficult to apply QOS to it; as it's all tunelled and not visible to intermediate endpoints (e.g. the internet router at either end). You can prioritise some traffic outbound, but it's difficult to identify it, and you can only prioritise it for that first outbound hop at either end. After that it's at the mercy of the internet.

Eventually I'm sure things will move away from G711/G729 loss sensitive codecs to some of the newer ones. I have a number of customers using this type of setup and they have good results most of the time, sometimes issues around peak using times in the evenings etc.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Thank You very much Aaron for that information, and to dprzywara

I have ASA 5510 confgured for Phone Proxy where in am able register my CIPC from LAPTOP on CUCM at head office and able to make call on every extension but unable to hear voice...

Any help or idea what could be the caouse

Below is my debug from laptop

PP: opened 0x116804ea

PP: Data Block 1 forwarded from 14.36.107.90/8554 to 172.18.254.73/52361 ingress ifc outside

PP: Received ACK Block 1 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 2 forwarded to 172.18.254.73/52361

PP: Received ACK Block 2 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 3 forwarded to 172.18.254.73/52361

PP: Received ACK Block 3 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 4 forwarded to 172.18.254.73/52361

PP: Received ACK Block 4 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 5 forwarded to 172.18.254.73/52361

PP: Received ACK Block 5 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 6 forwarded to 172.18.254.73/52361

PP: Received ACK Block 6 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 7 forwarded to 172.18.254.73/52361

PP: Received ACK Block 7 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 8 forwarded to 172.18.254.73/52361

PP: Received ACK Block 8 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: Data Block 9 forwarded to 172.18.254.73/52361

PP: Received ACK Block 9 from outside:172.18.254.73/52361 to inside:172.18.124.230

PP: TFTP session complete, all data sent

PP: 172.18.254.73/52362 requesting SEP0007EBF0EE54.cnf.xml.sgn

PP: opened 0x116974f6

PP: 172.18.254.73/52363 requesting SEP0007EBF0EE54.cnf.xml.sgn

PP: opened 0x116a21e2

PP: 172.18.254.73/52364 requesting SEP0007EBF0EE54.cnf.xml.sgn

PP: opened 0x116b06ae

So I configured Remote IPSEC VPN with Split Tunnel and connected my Laptop with VPN Client to Head office. Start my IPCP Soft Phone in Laptop gets register and able to make call to any extension but not voice from either end..!

Your comments and suggestions are highly appreciated..!

Thank you.

Hi Taufique

Your problem is unrelated to this one. You should open a new thread.

That said, the ASA/SSL VPN functionality built into the phones is superior to the Phone Proxy system, so if you feel like upgrading you'll have a simplied deployment with better features at the end of it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Thank you for your reply Aaron.

I would like to try Jabber in my IPHONE and call my BOSS IPHONE where we install Jabber can you plz help me how do I proceed..!

Your help is highly appreciated..!