Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1618
Views
5
Helpful
5
Replies

Anyway to stop phones from reregistering when site to site IPSEC VPN tunnel drops once a day?

IT Department
Level 1
Level 1

‎02-05-2015 11:09 AM - edited ‎03-17-2019 01:52 AM

We have some offices connected via an ASA Site to Site IPSEC VPN to our HQ which houses a CUCM.

 

The Internet line experiences just under 1% packet loss per 24 hour period.  However this sometimes causes the site to site VPN to drop and reconnect about 3 seconds later.  The computers and users never notice the drop, but the phones site wide reregister when this happens.

 

I have set each phone to "Delayed" for communication to CUCM which I thought would alleviate the problem but it has not.  I can even simulate the drop by disconnecting the VPN for a second and all the phones reregister.

 

Is there some way to stop this from happening?

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

‎02-05-2015 01:58 PM

Phones should change CUCM (re-register) after 3 missed Hello's (called: station keepalive in the call manager service parameters, default 30 seconds for active 60 seconds for standby cucm) interval to their active CUCM, then fail over to the standby one. If you run a remote cluster that your phones connect to using the VPN, then it could potentially suffer dropped Hellos from your phones to any cucm.  After 3 missed Hellos the phones fail over to the standby cucm, or to srst if that is not available either.

I dont know of a way that you can change the fail # of hellos, you can play with the frequency, but remember it is a service parameter and will affect all phones.

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

IT Department
Level 1
Level 1
In response to Dennis Mink

‎02-06-2015 01:59 PM

What you describe is detailed in Cisco's support document here:

 

https://supportforums.cisco.com/document/74666/cucm-ip-phone-sccp-keepalive-and-failover-architecture

 

The document also recommends "Delayed" from "Detect Unified CM Connection Failure" parameter on the device configuration page for my situation.

 

However, I've timed the VPN drop to 3 seconds.  If I have 30 seconds I do not understand why the phones would re-register as the site users tell me.  Perhaps there is some other setting I'm missing causing this behavior.

0 Helpful

IT Department
Level 1
Level 1
In response to IT Department

‎03-02-2015 02:13 PM

From what I learned from Cisco the Cisco ASA sends a reset message to all the Cisco VoIP phones when the VPN drops.

I do not know if having SCCP / Skinny inspection on or off would change this behavior.


I am testing the ASA command (disabled by default) sysopt connection preserve-vpn-flows 

which is designed for VPNs that drop daily.  So far all it seems to do is make the phones to take longer to re-register.

 

Another TAC engineer mentioned the reset commands the ASA is capable of sending, however they are turned off on my ASA so I am at a loss why TAC VoIP team claims the ASA is reseting the phones and is normal.  Does anyone actually have a site where an ASA to ASA IPSEC tunnel drops and all the phones reregister (takes about 8 seconds)?

I have already tried doubling the system wide CUCM phone keep alive in CUCM Services but it doesn't change the behavior.

 

---------Service Reset Details for ASA---------

ciscoasa(config)# service ?

 

-You should see the following commands:

 

configure mode commands/options:
  call-home          Enable or disable Smart Call-Home
  internal           Advanced settings (use only under Cisco supervision)
  password-recovery  Password recovery configuration
  resetinbound       Send reset to a denied inbound TCP packet
  resetoutbound      Send reset to a denied outbound TCP packet
  resetoutside       Send reset to a denied TCP packet to outside interface

 

-If you want to disable the reset information you can use one of the following commands:

 

no service resetinbound
no service resetboutbound
no service resetoutside

-In order to determine the reset that the ASA is sending to the device you can use the following syslog information:

-Syslog code : 302014

Error Message %ASA-6-302014: Teardown TCP connection id for interface : real-address / real-port [( idfw_user )] to interface : real-address / real-port [( idfw_user )] duration hh:mm:ss bytes bytes [ reason ] [( user )]

 

-Regarding the VPN tunnel, you can use the following command : sysopt connection preserve-vpn-flows

 

 

 

0 Helpful

IT Department
Level 1
Level 1
In response to IT Department

‎03-09-2015 11:53 AM

after 2 months of TAC troubleshooting WE HAVE FOUND THE SOLUTION!

 

All along it was the Cisco ASA SCCP Inspection which is turned on by default in the service policies of the Firewall configuraiton.

Early on I had disabled SCCP (Skinny) and SIP inspection at the remote site, HOWEVER, I never disabled it at the main site.  IT MUST BE DISABLED ON BOTH SIDES OF THE IPSEC VPN tunnel, on BOTH ASAs.

 

After turning that off now when the VPN drops once a day there is zero impact to the phones, they do not reregister.

 

I also have IKEv1 Aggressive Mode enabled and the preserve VPN flows so when the VPN drops its about a second to reconnect and any file transfers going continue where they left off.

 

Mark as solution. 

Blaine K
Level 1
Level 1
In response to IT Department

‎03-08-2016 11:00 AM

SequenomIT  Thank you for posting the solution.  We've been experiencing the same issue and are trying your reported solution.

B

0 Helpful
Customers Also Viewed These Support Documents