01-29-2013 10:25 AM - edited 03-17-2019 02:58 PM
Is this possible? like I at home vpn to our main office and try to call my officemate which happens to be at home as well connected via vpn to the main office
Or only I at home calling my main office ip phones thru vpn and my officemate calling our main office ip phones using vpn, and not us calling each other using vpn too our main office?
Solved! Go to Solution.
01-30-2013 02:28 AM
Hi
There's nothing required on the clients - it's most likely your ASA config that is incorrect.
Last time I did this wrong, I missed the VPN client pool addresses from the split tunnel configuration. Adding them to the tunnelled subnets fixed it.
Perhaps post up your config if you are not sure?
Aaron
01-30-2013 02:02 PM
I suspect you might be missing the following command on your ASA: same-security-traffic permit intra-interface
Below is a blurb from the ASA CLI guide about the setting.
01-30-2013 12:12 AM
Hi
Yes, you can call other VPN users.
Aaron
01-30-2013 12:17 AM
Good Day,
You can any vpn user connected to ASA via VPN Tunnel and phone registered with CUCM..!
You an also share data along with voice..!
Thank you
01-30-2013 01:52 AM
Thanks for the confirmation. Are there any requirements (settings to endpoints and appliance) to all vpn users to call each other when they are connected via anyconnect to the main office? Like bandwidth speed, latency, qos from Main Office to vpn users and vice versa? Because I tried to calling a vpn user when I was on vpn as well, it rings but when he or I answer the call, we can't hear each other, this is no the case when either one of us calls the main office
01-30-2013 02:28 AM
Hi
There's nothing required on the clients - it's most likely your ASA config that is incorrect.
Last time I did this wrong, I missed the VPN client pool addresses from the split tunnel configuration. Adding them to the tunnelled subnets fixed it.
Perhaps post up your config if you are not sure?
Aaron
01-30-2013 02:02 PM
I suspect you might be missing the following command on your ASA: same-security-traffic permit intra-interface
Below is a blurb from the ASA CLI guide about the setting.
01-30-2013 09:36 PM
This command saves my day same-security-traffic permit intra-interface. Also Aaron info about allowing the VPN Pool address in split tunneling. I didn't use split tunneling first so I should have no problem but I miss the command dprzywara said, so still a failed call. Overall both info helped me.
Also is qos required on the ASA? And what is the recommended bandwidth required from hub (asa) to spokes (vpn users) and for spoke to spoke communication so users can have a smooth conversation?
01-31-2013 12:06 AM
Hi
You would not normally configure QoS on an ASA, no. Once the traffic hits the internet it's really out of your control, so all you can do is ensure that both ends are well provisioned.
Aaron
Please rate useful posts and mark 'answered' if appropriate...
01-31-2013 12:27 AM
So all we can do is hope that our internet connection is fast and reliable right?
01-31-2013 01:25 AM
More or less - the issue is that once your traffic is VPNd it's difficult to apply QOS to it; as it's all tunelled and not visible to intermediate endpoints (e.g. the internet router at either end). You can prioritise some traffic outbound, but it's difficult to identify it, and you can only prioritise it for that first outbound hop at either end. After that it's at the mercy of the internet.
Eventually I'm sure things will move away from G711/G729 loss sensitive codecs to some of the newer ones. I have a number of customers using this type of setup and they have good results most of the time, sometimes issues around peak using times in the evenings etc.
Aaron
01-31-2013 01:38 AM
Thank You very much Aaron for that information, and to dprzywara
01-31-2013 02:39 AM
I have ASA 5510 confgured for Phone Proxy where in am able register my CIPC from LAPTOP on CUCM at head office and able to make call on every extension but unable to hear voice...
Any help or idea what could be the caouse
Below is my debug from laptop
PP: opened 0x116804ea
PP: Data Block 1 forwarded from 14.36.107.90/8554 to 172.18.254.73/52361 ingress ifc outside
PP: Received ACK Block 1 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 2 forwarded to 172.18.254.73/52361
PP: Received ACK Block 2 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 3 forwarded to 172.18.254.73/52361
PP: Received ACK Block 3 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 4 forwarded to 172.18.254.73/52361
PP: Received ACK Block 4 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 5 forwarded to 172.18.254.73/52361
PP: Received ACK Block 5 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 6 forwarded to 172.18.254.73/52361
PP: Received ACK Block 6 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 7 forwarded to 172.18.254.73/52361
PP: Received ACK Block 7 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 8 forwarded to 172.18.254.73/52361
PP: Received ACK Block 8 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: Data Block 9 forwarded to 172.18.254.73/52361
PP: Received ACK Block 9 from outside:172.18.254.73/52361 to inside:172.18.124.230
PP: TFTP session complete, all data sent
PP: 172.18.254.73/52362 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116974f6
PP: 172.18.254.73/52363 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116a21e2
PP: 172.18.254.73/52364 requesting SEP0007EBF0EE54.cnf.xml.sgn
PP: opened 0x116b06ae
So I configured Remote IPSEC VPN with Split Tunnel and connected my Laptop with VPN Client to Head office. Start my IPCP Soft Phone in Laptop gets register and able to make call to any extension but not voice from either end..!
Your comments and suggestions are highly appreciated..!
Thank you.
01-31-2013 06:25 AM
Hi Taufique
Your problem is unrelated to this one. You should open a new thread.
That said, the ASA/SSL VPN functionality built into the phones is superior to the Phone Proxy system, so if you feel like upgrading you'll have a simplied deployment with better features at the end of it.
Aaron
01-31-2013 10:44 PM
Thank you for your reply Aaron.
I would like to try Jabber in my IPHONE and call my BOSS IPHONE where we install Jabber can you plz help me how do I proceed..!
Your help is highly appreciated..!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide