The Cisco CallManager Express remote phone solution extends IP voice services out to teleworkers that use CallManager Express over an Internet Protocol Security (IPSec) Virtual Private Network (VPN). This solution provides a cost-effective starter kit for a voice- and data-enabled teleworker solution. However, some restrictions apply to the remote Skinny Client Control Protocol (SCCP) across WAN links (for example, IPSec VPN). One such restriction is that generic routing encapsulation (GRE) over IPSec is required for remote teleworker sites. If GRE is not used, calls from remote phones to the Public Switched Telephone Network (PSTN) or Cisco Unity Express receive one-way audio.
If you have the IP phone (ephone) attached to Cisco CallManager Express over IPSec, and the remote router or VPN client is attached through a GRE/IPsec tunnel, the ephone routes through the tunnel. In this scenario, the GRE interface passes through encryption properly.
Without the GRE tunnel, the ephone is able to transmit Real-Time Protocol (RTP) packets over the dial-peer. Traffic that comes from the dial-peer towards the ephone is not encrypted. As a result, the downstream router discards the clear RTP packets, and the remote IP phone gets one-way audio.
This problem is most commonly seen when encrypted ephones and a Cisco Unity Express module are used together.
There are different ways to display the RTP packets sent and received by the ephone. You can determine whether the ephone can receive RTP packets from Cisco CallManager Express in these ways:
Issue the show ephone command on Cisco CallManager Express.
Browse the ephone ip address in order to check the call stream statistics.
Press the help (i or ?) button twice in quick succession during an active call in order to show the call statistics on the screen.
Normally, GRE over IPSec is the recommended solution for this one-way voice issue. If the remote VPN client cannot support the GRE tunnel, as is the case with VPN 3002 client software, you can still use policy routing to achieve two-way audio.
You can use Policy-based Routing (PBR) in order to force the ephone traffic through the encryptor. In order to do this, apply a static route to the remote ephone pointing at a loopback interface. Then use PBR on the loopback in order to set the next hop downstream of the crypto map.
This is a sample configuration:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group RemoteUsers key emmanuel ! crypto isakmp client configuration group cisco
! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! !--- Create the loopback interface and apply the policy route-map. interface Loopback10 ip address 192.168.5.1 255.255.255.0 ip policy route-map 10 ! interface GigabitEthernet0/0 ip address 10.66.75.195 255.255.255.128 duplex auto speed 100 crypto map SDM_CMAP_1 ! interface Service-Engine0/1 ip unnumbered GigabitEthernet0/0 service-module ip address 10.66.75.196 255.255.255.128 service-module ip default-gateway 10.66.75.195 ! interface GigabitEthernet0/1 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto no keepalive ! ip classless ip route 0.0.0.0 0.0.0.0 10.66.75.129 !--- Route the ephone traffic to the loopback interface. ip route 192.168.20.2 255.255.255.255 loopback10 ip route 10.66.75.196 255.255.255.255 Service-Engine0/1 ! ! ip http server no ip http secure-server ip http path flash: ! !--- Define the access-list to match the traffic to ephone. access-list 101 permit ip any host 192.168.20.2 ! !--- Configure the route-map for the policy routing and issue the set ip next-hop or set interface command in the route-map in order to force the ephone traffic to go through the encryptor. route-map 10 permit 10 match ip address 101 set ip next-hop 10.66.75.167
You can use these commands for verification and troubleshooting:
Hello allI hope you are doing well.I have a ptoblem with a line when i make a call with this line it showing Anonymous calls .In the trace SIP on the RTMT : sip: Anonymous@anonymous The call work fine but it show anonymous call on calling number...
I am looking for a way to get text messages sent to Cisco wireless phones (7926, 8821) from an internal device via SIP or CTI. CUCM version is 12.5. The sending application would be Rauland-Borg Responder V5. Their proposed solution involves a serial conn...
I am trying to register a CP-8945 VoiP phone. I have filled in all the information needed and added a line group. The display is showing the information but it's still showing unregistered on the CUCM. I'm not sure what I missed. P...
By default the layout when sharing content is "Stack", I would like to change the default layout to "Overlay" or "float" if you ask the webex Pro boards. All of the layout settings I see on the codec are in relation to using "Multi-Site". ...