02-05-2015 11:09 AM - edited 03-17-2019 01:52 AM
We have some offices connected via an ASA Site to Site IPSEC VPN to our HQ which houses a CUCM.
The Internet line experiences just under 1% packet loss per 24 hour period. However this sometimes causes the site to site VPN to drop and reconnect about 3 seconds later. The computers and users never notice the drop, but the phones site wide reregister when this happens.
I have set each phone to "Delayed" for communication to CUCM which I thought would alleviate the problem but it has not. I can even simulate the drop by disconnecting the VPN for a second and all the phones reregister.
Is there some way to stop this from happening?
02-05-2015 01:58 PM
Phones should change CUCM (re-register) after 3 missed Hello's (called: station keepalive in the call manager service parameters, default 30 seconds for active 60 seconds for standby cucm) interval to their active CUCM, then fail over to the standby one. If you run a remote cluster that your phones connect to using the VPN, then it could potentially suffer dropped Hellos from your phones to any cucm. After 3 missed Hellos the phones fail over to the standby cucm, or to srst if that is not available either.
I dont know of a way that you can change the fail # of hellos, you can play with the frequency, but remember it is a service parameter and will affect all phones.
02-06-2015 01:59 PM
What you describe is detailed in Cisco's support document here:
https://supportforums.cisco.com/document/74666/cucm-ip-phone-sccp-keepalive-and-failover-architecture
The document also recommends "Delayed" from "Detect Unified CM Connection Failure" parameter on the device configuration page for my situation.
However, I've timed the VPN drop to 3 seconds. If I have 30 seconds I do not understand why the phones would re-register as the site users tell me. Perhaps there is some other setting I'm missing causing this behavior.
03-02-2015 02:13 PM
From what I learned from Cisco the Cisco ASA sends a reset message to all the Cisco VoIP phones when the VPN drops.
I do not know if having SCCP / Skinny inspection on or off would change this behavior.
I am testing the ASA command (disabled by default) sysopt connection preserve-vpn-flows
which is designed for VPNs that drop daily. So far all it seems to do is make the phones to take longer to re-register.
Another TAC engineer mentioned the reset commands the ASA is capable of sending, however they are turned off on my ASA so I am at a loss why TAC VoIP team claims the ASA is reseting the phones and is normal. Does anyone actually have a site where an ASA to ASA IPSEC tunnel drops and all the phones reregister (takes about 8 seconds)?
I have already tried doubling the system wide CUCM phone keep alive in CUCM Services but it doesn't change the behavior.
---------Service Reset Details for ASA---------
ciscoasa(config)# service ?
-You should see the following commands:
configure mode commands/options:
call-home Enable or disable Smart Call-Home
internal Advanced settings (use only under Cisco supervision)
password-recovery Password recovery configuration
resetinbound Send reset to a denied inbound TCP packet
resetoutbound Send reset to a denied outbound TCP packet
resetoutside Send reset to a denied TCP packet to outside interface
-If you want to disable the reset information you can use one of the following commands:
no service resetinbound
no service resetboutbound
no service resetoutside
-In order to determine the reset that the ASA is sending to the device you can use the following syslog information:
-Syslog code : 302014
Error Message %ASA-6-302014: Teardown TCP connection id for interface : real-address / real-port [( idfw_user )] to interface : real-address / real-port [( idfw_user )] duration hh:mm:ss bytes bytes [ reason ] [( user )]
-Regarding the VPN tunnel, you can use the following command : sysopt connection preserve-vpn-flows
03-09-2015 11:53 AM
after 2 months of TAC troubleshooting WE HAVE FOUND THE SOLUTION!
All along it was the Cisco ASA SCCP Inspection which is turned on by default in the service policies of the Firewall configuraiton.
Early on I had disabled SCCP (Skinny) and SIP inspection at the remote site, HOWEVER, I never disabled it at the main site. IT MUST BE DISABLED ON BOTH SIDES OF THE IPSEC VPN tunnel, on BOTH ASAs.
After turning that off now when the VPN drops once a day there is zero impact to the phones, they do not reregister.
I also have IKEv1 Aggressive Mode enabled and the preserve VPN flows so when the VPN drops its about a second to reconnect and any file transfers going continue where they left off.
Mark as solution.
03-08-2016 11:00 AM
SequenomIT Thank you for posting the solution. We've been experiencing the same issue and are trying your reported solution.
B
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide