Solved: Re: no one way audio

Adrián Moran · ‎03-26-2021

Hi, all good day;

I have a network with 4 VLANs

Vlan10 for DATA

Vlan11 isolate with ACL for small group

Vlan12 Voice Vlan

Vlan13 Wireless Vlan

all the telephone office connect to CUCM 192.168.12.14 and 192.168.12.15 (secondary)

vlan11 has an access-list just to allow traffic for certain internal resources and outside the internet

the issue in this VLAN is that when they call somebody in vlan10 the guy in vlan10 cannot hear anything but the guy in vlan11 can hear the other side.

here is the access-list for vlan11

Extended IP access list deny_qa_acl
10 permit ip any host 192.168.0.2
20 permit ip any host 192.168.0.6
30 permit ip any host 192.168.15.15 (32 matches)
40 permit tcp any host 192.168.15.15 eq ftp
50 permit tcp any host 192.168.15.15 eq ftp-data
60 deny ip any 192.168.0.0 0.0.0.255 (282280 matches)
70 deny ip any 192.168.14.0 0.0.0.255
80 deny ip any 192.168.15.0 0.0.0.255 (277 matches)
90 deny ip any 192.168.16.0 0.0.0.255
100 deny ip any 192.168.17.0 0.0.0.255
110 permit ip any any (68652 matches)
120 permit udp any any range 1024 65535 ( I added this line recently to open UPD ports for voice, no luck)

ACL is applying in vlan

interface Vlan11
description MQA /CASH
ip address 192.168.11.1 255.255.255.0
ip access-group deny_qa_acl in

phones are registered and working correctly inbound and outbound externally, they have a Cisco IP softphone.

any advice please, not sure what other port should I opened.

Note. Vlan10 does not have any restricted access-list.

Regards

MSE Adrian M.

TONY SMITH · ‎04-02-2021

If you have any doubts about routing between these subnets, then get that resolved first. We'd need to see more of the switch configuration to comment. I think the "default router" lines are a red herring in this context, although I'm not sure it makes sense to have more than one. They shouldn't be needed to route between connected subnets. What does "show ip route" show?

Depending on your security requirements, could you temporarily remove the ACL from VLAN 11 while you test routing? In that configuration you should be able to ping one of your VLAN 11 phones from any of the other subnets.

Once routing is confirmed, it's just a matter of fine-tuning your ACL to permit everything that's actually needed.

View solution in original post

Anthony W. · ‎03-26-2021

Personally I would try adding this at the end of the ACL:

999 deny ip any any log

This way you will see in the log what is actually hitting the implicit deny on the ACL to ensure that you are really having a ACL issue. If not, you may want to look at CUBE or routing if your having one way audio issues.

Adrián Moran · ‎03-31-2021

Hi Anthony good day;

Adding the line as you suggest but there are no matches until now, how can I see the logs of that line? if I do sh log nothing appears

MSE Adrian M.

TONY SMITH · ‎04-01-2021

Adding "deny ip any any" at the end will do nothing if it follows your existing line 110 "permit ip any any". While that is in place nothing after line 110 will have any effect at all.

Jaime Valencia · ‎03-26-2021

There's already documentation that explains the port usage

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_0_1/systemConfig/cucm_b_system-configuration-guide-1201/cucm_b_system-configuration-guide-1201_chapter_01010110.html

RTP flows directly between endpoints unless otherwise configured, you need to make sure RTP is allowed both ways between any two endpoints that can be on a call.

HTH

java

if this helps, please rate

TONY SMITH · ‎03-29-2021

the last line in your ACL does nothing.

110 permit ip any any (68652 matches)
120 permit udp any any range 1024 65535 ( I added this line recently to open UPD ports for voice, no luck)

Line 110 permits everything that hasn't already been denied, so nothing will hit line 120.

To make sense of your ACL can you tell us which subnet(s) belong to which VLAN?

Or you could try moving your line 120 up a bit, say make it line 35 after the permit for the Subscriber. You might want to allow the phones to talk to the Publisher as well, but that depends on how you've configured your CMGs.

If this VLAN 11 is something special, for example subject to PCI compliance, you might want to read the document Jaime linked you do, and craft ACLs which permit only what is strictly needed.

Adrián Moran · ‎04-01-2021

Hello Tony good day;

Inverting the last 2 lines:

110 permit udp any any range 1024 65535 (247 matches)
120 permit ip any any (290 matches)

now I can see hits on lines but still persist the issue. UCM can see phones from both VLAN, there is no firewall between them, but the switch is L3 and has a default route:
default-router 192.168.13.1
default-router 192.168.11.1
default-router 192.168.0.254
I don't see a default route for VLAN12 192.168.12.0/24 (Voice VLAN), can this possibly cause the issue?

subnets:

VLAN10 192.168.0.0/24

VLAN11 192.168.11.0/24

VLAN12 192.168.12.0/24

VLAN13 192.168.13.0/24

MSE Adrian M.

TONY SMITH · ‎04-02-2021

If you have any doubts about routing between these subnets, then get that resolved first. We'd need to see more of the switch configuration to comment. I think the "default router" lines are a red herring in this context, although I'm not sure it makes sense to have more than one. They shouldn't be needed to route between connected subnets. What does "show ip route" show?

Depending on your security requirements, could you temporarily remove the ACL from VLAN 11 while you test routing? In that configuration you should be able to ping one of your VLAN 11 phones from any of the other subnets.

Once routing is confirmed, it's just a matter of fine-tuning your ACL to permit everything that's actually needed.

Adrián Moran · ‎04-05-2021

Tony Smith;

Thanks, Tony after discarding routing and doing a reorganization of the ACL problem has been solved.

Regards

MSE Adrian M.