Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1618
Views
0
Helpful
7
Replies

Branch Site Phone keeps unregistering MGCP SIP and SCCP , FXO, PSTN

Go to solution
Danik Therrien
Level 1
Level 1

‎08-11-2016 10:56 AM - edited ‎03-17-2019 07:48 AM

Hi Everyone, 

I need your help to help me find a solution to this problem. How can I tackle the problem? Is there a way to see what makes the phone unreg.?

NETWORK SCHEME

CUCM---HQ---Firewall (not asa)----Internet-----ipsec VPN on Router 881--- Switch---MGCP VG 2921

---2 POTS 

SITE DESC

In words, there is a VPN tunnel between the headquarter and the branch.

There is a 70 mbps internet connection at the branch and 200mbps at HQ.

PROBLEM DESC

Now, at random times, the phones will unregister,  stay like this between 3 and 5 min. then will comeback. It's really annoying because calls coming in can be lost during that time. 

Now we have check the VPN tunnel on the router and on the third-party firewall and it's all good, no errors. 

Internet seems to stay up. 

I have opened a TAC case to check the IPsec config and the VG but nothing. It doesn't explain why the phones go in a registering mode all the time. 

I"ll be as responsive as possible!

Thank you So much everyone!

D

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JEFF CALVIRD
Level 1
Level 1

‎08-12-2016 08:29 AM

I hear about this a lot and have worked a similar issue with a client. What it comes down to is lack of QoS and hitting loss of TCP syncs to CUCM. The gateway drops or CUCM is not receiving them and thus the result is loss of registration. Remember you have a round trip delay to address and when that's exceeded you will drop. Firewalls don't actually do QoS no matter what the manufacture states it's always best effort because the bottom line is that the internet has no QoS. The size of the pipe doesn't mean you won't have delay it just means you reduce the possibility you'll have delay caused by congestion. However rules of Ethernet is busty traffic which means the firewall may have to adjust for traffic hitting it and being scanned for policies and add a time you won't see in a peer-to-peer trace.

In some cases you can adjust this by changing the timer values in CUCM to extend but that will only mask the greater issue.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎08-11-2016 12:56 PM

You probably want to start by reviewing CUCM traces at the time this happens, and phone logs to look for any pointers, most likely there's a problem with the connection, QoS does not protect the voice signaling and RTP, etc.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Danik Therrien
Level 1
Level 1
In response to Jaime Valencia

‎08-12-2016 05:55 AM

That is good to know!

I will see what I can do! Although, It hasn't occurred in the last two days. No clue why. But I asked the client to call me as soon as possible when ever it does happen. 

I will keep you posted!

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-11-2016 07:18 PM

Hi,

Check in CUCM RTMT for reason of last rest. This will help you to confirm if the problem is related to connectivity or something at CUCM.

Now, you need to look at the monitoring for both sites to see if there are packet drops or link flapping. Also, you need to check the average latency between sites to make sure that its within supported limits.

Also, since this is a site to site vpn, you need to check your rekey timers and make sure that they aren't very low. This will keep the vpn tunnel to flap. You can verify the logs on cisco 881 router to see the vpn keeps going up/down.

On the firewall make sure that MGCP isn't inspected that the security box isn't dropping connections.

Now with centralized deployment similar to yours, SRST is very good option to overcome such problem. Also, it needs tuning for switchback  timers to avoid phones flapping between cucm and srst gateway.

Hope that helps you to look further.

0 Helpful

Go to solution
Danik Therrien
Level 1
Level 1
In response to Mohammed al Baqari

‎08-12-2016 05:53 AM

Those are very good pointers. 

  • Log from the vpn router attached to this post. I did replace the IPs.
  • Ping time from the VG to the CUCM :Is it too much?
VG01#ping 10.1.1.55 rep 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 10.1.1.55 (CUCM), timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 136/139/144 ms
VG01#
  • The firewall isn't inspecting anything since it's just a tunnel. But I will have my security engineer double check that.
  • Timers : Which one should I be looking for?
  • CUCM : When the problem reoccurs, I will check the logs right away!

Thank you so much again!

Preview file
8 KB
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Danik Therrien

‎08-12-2016 06:53 AM

Hi,

The latency is ok. Not very good but not too bad. However, I can see jitter which is expected over internet.

You security engineer needs to look for IKE SA Timers for phase 1 and phase 2. Best to post this in security forum.

0 Helpful

Go to solution
JEFF CALVIRD
Level 1
Level 1
In response to Danik Therrien

‎08-12-2016 08:31 AM

Danik, even though there's a VPN the firewall still has to make the decision when it's ingress so even though it's a quick match/forward process the firewall has to process based FIFO. :)

0 Helpful

Go to solution
JEFF CALVIRD
Level 1
Level 1

‎08-12-2016 08:29 AM

I hear about this a lot and have worked a similar issue with a client. What it comes down to is lack of QoS and hitting loss of TCP syncs to CUCM. The gateway drops or CUCM is not receiving them and thus the result is loss of registration. Remember you have a round trip delay to address and when that's exceeded you will drop. Firewalls don't actually do QoS no matter what the manufacture states it's always best effort because the bottom line is that the internet has no QoS. The size of the pipe doesn't mean you won't have delay it just means you reduce the possibility you'll have delay caused by congestion. However rules of Ethernet is busty traffic which means the firewall may have to adjust for traffic hitting it and being scanned for policies and add a time you won't see in a peer-to-peer trace.

In some cases you can adjust this by changing the timer values in CUCM to extend but that will only mask the greater issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents