cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1636
Views
0
Helpful
0
Replies

Cisco 2911 QOS for VOIP - Unexpected Profile - NAT Issues - RTSP

Ross Mccullough
Level 1
Level 1

Group,

Have some issues to run by you to get the experts opinion. Let's start with the setup:

HQ

2911 Router

SF300P Switches with QOS in basic mode, Voice VLAN 1

SPA504 IP Phone(s)

DC <-- Asterisk PBX located here with other SPA504 phones

Whats happening:

Some HQ users are complaining since I swapped the firewall from a SA540 to 2911 about phone to phone transfers in the HQ, not being able to hear, outside calls to HQ are hard to hear or one-way streams, calls from HQ to DC sometimes are one way audio streams, if you call back a couple of times you can finally establish a 2 way call, and its intermittent.

What I have been able to diagnose:

I have set QOS on the switch in basic mode and can verify that by running the queue 4 stats they climbing for queue 4 correctly on the unlink port from the switch to the firewall. However on the firewall when I monitor the QOS on the inside to outside interface I don't see any movement on the Signaling or Voice streams, I do see the CCP_Routing, CCP_Management, and CCP_Transactional climbing as we get phone calls.

I can verify that on the firewall the QOS policy for VOIP is set to EF and to AF31 respectively and seems to be correct, on the phones I can verify the policy is set to COS 3 & 5 respectively. 5/DSCP46/0xB8 3/DSCP26/0x68. Wireshark shows data flowing into the firewall has the correct DSCP set to 0xB8.

I have turned off SIP ALG on the 2911. Didn't seem to help. NAT is being handled by the phones, not Asterisk.

I have verified the RTP range and it doesn't seem the calls are out of range.

I have done a Wireshark trace at the DC end and can verify that when users at the DC are saying they can't hear the other party that at the PBX both RTSP stream exist.

Any feedback would be greatly appreciated. I have attached some profiles from the QOS and the QOS settings and the config is below. If you need further information please let me know and I will post it back.

Thanks experts!! Your insight and input are always valuable a rookie on these 2911's!

Building configuration...

Current configuration : 11240 bytes

!

! Last configuration change at 12:22:54 NewYork Thu Dec 26 2013 by cisco

! NVRAM config last updated at 11:10:28 NewYork Thu Dec 26 2013 by cisco

! NVRAM config last updated at 11:10:28 NewYork Thu Dec 26 2013 by cisco

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname pl-gw1-paf-router1

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 52000

enable secret 5 <EDITED>

enable password 7 <EDITED>

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

clock timezone NewYork -5 0

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ip source-route

ip cef

!

!

!

!

!

!

no ip bootp server

ip domain name <EDITED>

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip name-server 8.8.4.4

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1476751880

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1476751880

revocation-check none

rsakeypair TP-self-signed-1476751880

!

!

crypto pki certificate chain TP-self-signed-1476751880

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343736 37353138 3830301E 170D3133 31313235 31373234

  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34373637

  35313838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B70E D68704F7 1DC5B4C1 6DFF6421 41224111 E3BA9B0F 91C01E8E E9B61469

  8722444D C2347B5E EB063258 C4F61C0F E17E5B51 6A63D7FC B93FA1BD A58CC717

  D64DA408 56325935 C0F5D80C 5A1048AA 6DA0FF36 91A140A4 F9CDE135 955BF3E5

  67065FD6 947CA3BB 954FA23B 547F7C6D DE6DC530 259F2503 6E72581A 68F53F80

  74D70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 143012D1 A2989973 8A811A4E 124912E3 7CE0F9AC 41301D06

  03551D0E 04160414 3012D1A2 9899738A 811A4E12 4912E37C E0F9AC41 300D0609

  2A864886 F70D0101 05050003 8181005A ED92B7D5 9F05C89A FCC402E0 A71B2646

  DF3558B1 ABC98AD0 10E5895F 4C31590E 413F8598 371C20FF 80015DA1 950E37B6

  A33D3F94 C1680EF3 209B7F1D 4ABB3368 2028466F CB1BEE42 34F1C902 9F956F3E

  1238886E D4A9C4C3 7C9EFE6F D30B06C9 FC06DFAA 089622FE 1C171FEA 5D495E9A

  06053BF3 9CF06146 360285E7 1E8DAF

            quit

license udi pid CISCO2911/K9 sn FGL172810VH

license boot module c2900 technology-package securityk9

!

!

object-group service Asterisk

description Asterisk VOIP

udp source eq 5060

udp source range 16384 16842

!

username cisco privilege 15 secret 4 <EDITED>

username blakmoon91 secret 4 <EDITED>

!

redundancy

!

!

!

!

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map match-any CCP-Transactional-1

match dscp af21

match dscp af22

match dscp af23

class-map match-any CCP-Voice-1

match dscp ef

class-map match-any CCP-Routing-1

match dscp cs6

class-map match-any CCP-Signaling-1

match dscp cs3

match dscp af31

class-map match-any CCP-Management-1

match dscp cs2

!

policy-map sdm-qos-test-123

class class-default

policy-map CCP-QoS-Policy-1

class CCP-Voice-1

  priority percent 33

class CCP-Signaling-1

  bandwidth percent 5

class CCP-Routing-1

  bandwidth percent 5

class CCP-Management-1

  bandwidth percent 5

class CCP-Transactional-1

  bandwidth percent 5

class class-default

  fair-queue

  random-detect

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key <EDITED> address 97.XXX.78.222    no-xauth

crypto isakmp key <EDITED> address 67.XXX.146.158 

!

crypto isakmp client configuration group PlatinumVPNPool

key <EDITED>

dns 10.41.14.10 192.168.10.3

wins 10.41.14.10 192.168.10.3

domain <EDITED>

pool SDM_POOL_1

acl 108

include-local-lan

split-dns <EDITED>

pfs

max-users 25

max-logins 10

banner ^CYou are now connecting to a secure network. All connections are monitiored. If you have reached this in error please disconnect now. Call the Helpdesk X1000 for more information.^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group PlatinumVPNPool

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set PlatinumTransform esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set security-association lifetime seconds 10800

set security-association idle-time 1800

set transform-set ESP-3DES-SHA

set pfs group2

set isakmp-profile ciscocp-ike-profile-1

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 97.xxx.78.222

set peer 97.XXX.78.222

set transform-set ESP-3DES-SHA

match address 104

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to 67.xxx.146.158

set peer 67.XXX.146.158

set transform-set PlatinumTransform

match address 110

!

!

!

!

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address 71.XXX.160.123 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description $ETH-LAN$$ETH-LAN$$FW_INSIDE$

ip address 10.41.14.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

service-policy output CCP-QoS-Policy-1

!

interface GigabitEthernet0/2

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 192.168.26.1 192.168.26.50

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 25

sort-by bytes

cache-timeout 3600

!

no ip nat service sip udp port 5060

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.41.14.103 80 71.XXX.160.123 80 extendable

ip nat inside source static tcp 10.41.14.103 443 71.XXX.160.123 443 extendable

ip route 0.0.0.0 0.0.0.0 71.XXX.160.121

ip route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

ip route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

ip route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

ip route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

ip route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

ip route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

ip route 208.67.188.32 255.255.255.224 10.41.14.99 2 permanent

ip route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

!

ip sla auto discovery

logging trap errors

logging host 192.168.10.29

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 remark Platinum LAN

access-list 2 permit 10.41.14.0 0.0.0.255

access-list 2 deny   any

access-list 101 remark Master Rules

access-list 101 remark CCP_ACL Category=1

access-list 101 remark Asterisk VOIP

access-list 101 permit object-group Asterisk any any

access-list 101 remark FaxFinder WWW Traffic

access-list 101 permit tcp any host 71.XXX.160.123 eq www

access-list 101 remark FaxFinder HTTPS Traffic

access-list 101 permit tcp any host 71.XXX.160.123 eq 443

access-list 101 remark NTP Time Protocol

access-list 101 permit udp any host 71.XXX.160.123 eq ntp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.XXX.160.123 eq non500-isakmp

access-list 101 remark IPSEC Protocols

access-list 101 permit udp any host 71.XXX.160.123 eq isakmp

access-list 101 remark ESP Traffic

access-list 101 permit esp any host 71.XXX.160.123

access-list 101 remark General Permit

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=2

access-list 102 remark IPSec Rule

access-list 102 deny   ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 102 remark IPSec Rule

access-list 102 deny   ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 102 remark Platinum LAN NAT Rule

access-list 102 permit ip 10.41.14.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

access-list 108 remark CCP_ACL Category=4

access-list 108 permit ip 10.41.14.0 0.0.0.255 any

access-list 110 remark CCP_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

snmp-server community <EDITED> RW

snmp-server community public RO

snmp-server location Clearwater North

snmp-server contact MIS IT Services x1000

snmp-server enable traps entity-sensor threshold

snmp-server host 192.168.10.29 Mccullour9320

!

!

!

control-plane

!

!

banner login ^CYou have reached a security checkpoint. All connections are monitored. Follow company usage guidelines. Please contact the MIS IT Department for more information at x1000.^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 <EDITED>

transport input telnet ssh

transport output telnet ssh

line vty 5 15

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 24.56.178.140 prefer source GigabitEthernet0/0

ntp server 64.239.96.53 source GigabitEthernet0/0

ntp server 96.226.123.157 source GigabitEthernet0/0

ntp server 64.113.32.5 source GigabitEthernet0/0

ntp server 129.6.15.30 prefer source GigabitEthernet0/0

ntp server 12.10.191.151 source GigabitEthernet0/0

!

end

0 Replies 0