expressway-e udp packet routing

tato386 · ‎12-07-2023

I have an exp-e with dual NIC setup. NIC1 is internal and NIC2 is external. NIC2 is on a DMZ and it uses an RFC1918 IP so I have defined the static NAT public IP for NIC2. The exp-e uses an FTD firewall on NIC2 as it's default gateway and I have a static route to an internal subnet using NIC1. The exp-e is used for MRA phones and Webex clients and as long as the phones and clients are coming from the public Internet all is good. Managing the box and connection to exp-c works fine using NIC1.

The problem I have is with an internal/private guest subnet that is connected to the same physcial firewall as NIC2 but on a different FTD interface. To route to this subnet the exp-e uses the same gateway but then the FTD routes it out it's guest subnet interface rather than it's outside interface. TCP and ICMP traffic look good. I can ping to/from the exp-e and the guest subnet. Webex clients can register and make calls. Checking the FTD logs I see that all the traffic types tcp, udp and ICMP are hitting the correct fastpath (prefilter) rules and being allowed thru the FTD. I also see them using the correct FTD interfaces and IPs.

However, the Webex clients on the guest subnet are getting one way audio. They can hear callers but caller can't hear them. In the FTD logs I can see many instances of either the webex client or the exp-e sending UDP packets but zero returning which I guess explains the audio issues. From the logs it would seem all audio should be having issues but somehow it's only inbound to the Webex clients.

I suspect a routing or NAT issue but why would it be affecting only UDP traffic? Maybe the exp-e is trying to use it's defined public IP for the guest subnet? If so, how can I address this?

Thanks,
Diego

MHM Cisco World · ‎12-07-2023

Can you share packets trace for this traffic.

MHM

Carlo Poggiarelli · ‎12-08-2023

Hi,

On the CUCM look at the ip address that webex clients on guest LAN are registering with.

Than analyze the traffic from internal IP phones subnet to that IP Address.

Please let us know.

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

tato386 · ‎12-09-2023

I am having some trouble with the packet captures. I think it might be due to the traffic being prefiltered on the FTD. I used "capture-traffic" from the FTD shell and I think that only works on traffic that is being processed by the SNORT engine. I'll need to find a way to capture traffic from the LINA engine. In the meantime, I found something rather interesting. The FTD logs from public IP clients show similar (but not quite the same) UDP traffic behavior as the guest network clients but yet the public IP clients do not have the one-way audio issue. You can see from the screenshot of public IP traffic that there are several instances where public IP clients get zero packets back from the expressway. The main differences is that the guest network clients never get packets back from the expressway while the public IPs seem to get packets back for some flows but not others.

The difference is that the public IP clients do get some UDP packets

Carlo Poggiarelli · ‎12-09-2023

I guess you are falling in asymmetric routing from internal LAN to guest LAN.

As asked before, can you please check which IP Address you can see on CSF phones registering to CUCM.

Is the Exp-C IP Address or the client’s one?

Please let me know.

Cheers

Carlo

Please rate all helpful posts "The more you help the more you learn"

tato386 · ‎12-11-2023

Very possible. I'll be on site tomorrow to do more tests and collect better packet captures. I'll post back with results.

Thanks