Solved: Agreed with the above - since

david.pepperell1 · ‎03-19-2015

We are in the process of migrating from Juniper NetScreen firewalls at all of our sites to Cisco ASA's.

I have a IPSec VPN configured between a 5515-x at the main office and a 5505 at a remote branch.

All is working fine for data as file shares, RDP etc. work OK in both directions.

However, I am trying to get some Avaya 1608 phones working on the LAN at the remote branch connecting to an Avaya S8300 media server at the main office.

The handsets can connect to the S8300 and download their configuration and can call and receive calls from other handsets at the main and other remote sites, however, they do not get dial tone and when the call is answered, there is no audio in either direction.

We have had this setup working successfully for some time with the Junipers, but I cannot find a way of getting the handsets working properly with the ASA's.

Has anyone got any experience of doing this, and is there anything else I need to do on the VPN to get them working?

Aaron Harrison · ‎03-19-2015

Agreed with the above - since you seem to have no-NAT set up, and you have disabled inpection, next I would check your ACLs.

Lack of dial-tone suggests not permitting RTP between server/gateway and the phone - from what I recall being told some years back, with Avaya dial-tone is streamed from the server rather than generated on the handset Cisco-style.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎03-19-2015

Hi

Sounds like the ASA may be NATting the traffic.... have you verified you have properly configured no-nat for the VPN traffic?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

david.pepperell1 · ‎03-19-2015

Hi Aaron,

Yes I believe that I have no nat configured correctly for the VPN as below for the remote branch:

nat (inside,outside) source static NETWORK_OBJ_10.237.35.192_27 NETWORK_OBJ_10.237.35.192_27 destination static NETWORK_OBJ_10.252.0.0_16 NETWORK_OBJ_10.252.0.0_16

with the equivalent (reversed) at the main office.

I have also tried both including and removing the inspection for h323 (h225 and ras), skinny and sip, but the result is the same in all cases.

Any other ideas would be appreciated

Mohammed Al-Assadi · ‎03-19-2015

Hi,

In general you have to allow traffic between:

Avaya phone and Avaya server; and

Between the two endpoints, calling and called.

In many cases security engineers allow traffic between voice VLANs and servers. But they do not allow between voice VLANs.

Aaron Harrison · ‎03-19-2015

Agreed with the above - since you seem to have no-NAT set up, and you have disabled inpection, next I would check your ACLs.

Lack of dial-tone suggests not permitting RTP between server/gateway and the phone - from what I recall being told some years back, with Avaya dial-tone is streamed from the server rather than generated on the handset Cisco-style.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

david.pepperell1 · ‎03-19-2015

Hi Aaron,

Thanks for the tip - I have now got it working :-)

I ran a wireshark trace on the LAN and saw that the RTP was going to the Avaya G450 rather than the S8300 which was used to register the handsets (I am not an Avaya guy so I am not sure how it all fits together).

Adding a static route to the G450 to route the traffic correctly solved the problem.

I really appreciate your help - I am not sure I would have got there on my own.

Mohammed - thanks also for your input - it was also appreciated

Aaron Harrison · ‎03-19-2015

Glad you have it resolved :-)

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Avaya VoIP phones over VPN