Solved: Re: One-Way voice in a call over VPN

francisco del cura ferreira · ‎06-07-2013

Hello all:

We have a problem with the calls when they come from a user connected through VPN. The topology is the next:

VPN User->ASA->ROUTER->User in office.

Both users are in inside interface and the command "same-security-traffic permit intra-interface" is configured so the traffic is allowed. We checked out the routes on VPN client, ASA and router, all ok. When the call is done, the VPN user could hear to user in the office, but not vice-versa, that is, the user in the office couldn't hear to VPN user.

I made a capture during a call, the relevant IPs are:

- 192.168.4.130: VPN User

- 192.168.6.103: User in the office

- 192.168.2.3: Call Manager (v9.1)

- 192.168.2.247 (v9.1)

You can see UPD (voice) packets appear from user in the office, never from vpn user. It happens with differents pc's, it's not a isolated case. Attach the capture.

Thanks a lot!!

Cheers

bendatcrox · ‎06-08-2013

Morning,
Sounds to me like you are missing a NAT exclusion rule for one of your networks. Most likely the network that the phone inside the office is on. These won't show up as blocked packets, but you will just get one way audio.

If you are running NAT on the ASA this is most likely your issue. So check your NAT exclusion rules and ensure that traffic from inside the office to the VPN IP range is not being NATTED.

Sent from Cisco Technical Support iPhone App

View solution in original post

paolo bevilacqua · ‎06-07-2013

You may have found that "all is OK", but it is not. You have some device, most likely the ASA, blocking packets from outside. Until you fix that, you will have one-way voice. You can try posting in the Security forum for tips about configuring the ASA.

francisco del cura ferreira · ‎06-07-2013

Thanks for replying Paolo.

If ASA was blocking those packets I'd see them in the capture I launched on outside interface and that capture has not packets.

Regards

CSCO11875821 · ‎03-26-2020

Not is you are hitting a hide rule.

bendatcrox · ‎06-08-2013

Morning,
Sounds to me like you are missing a NAT exclusion rule for one of your networks. Most likely the network that the phone inside the office is on. These won't show up as blocked packets, but you will just get one way audio.

If you are running NAT on the ASA this is most likely your issue. So check your NAT exclusion rules and ensure that traffic from inside the office to the VPN IP range is not being NATTED.

Sent from Cisco Technical Support iPhone App

francisco del cura ferreira · ‎06-09-2013

Hi bendatcrox and thanks for replying.

The voice from inside network reaches vpn user, not the contrary. Right now, there is nat exclusion from inside network (192.168.6.0/24; 2.0/24) to vpn user range (192.168.4.0/24). What we dont have is nat exclusion from vpn user to inside network, is it necessary to configure it?.

Regards

bendatcrox · ‎06-09-2013

Hello again.
This will need to be a bidirectional NAT Exemption.

Sent from Cisco Technical Support iPhone App

kaja_2kj3 · ‎06-09-2013

Hi

is the remote user using a firewall device which connects to the companys asa or he is using ssl vpn client.

Thanks

francisco del cura ferreira · ‎06-09-2013

@bendatcrox, ok then, I'll configure it and update the thread with the results.

@kaja_2kj3, he is using Cisco VPN Client and we already checked out firewall or anti-virus issue. Moreover, he is not the only in the company with the same problem, so it's not an isolated case.

Regards!

stevenholzem · ‎06-10-2013

My suggestion would be to check your routes on the ASA.

- 192.168.4.130: VPN User

- 192.168.6.103: User in the office

- 192.168.2.3: Call Manager (v9.1)

- 192.168.2.247 (v9.1)

If your inside network is the 192.168.6.0, you need to have a static route to the Network with the Call Manager in it. I would suggest pointing it to the Core Router.

Example:

192.168.6.0/24 to 192.168.2.?/32

? = Core Router

Regards

paolo bevilacqua · ‎06-10-2013

Steven Holzem wrote:
My suggestion would be to check your routes on the ASA.
- 192.168.4.130: VPN User
- 192.168.6.103: User in the office
- 192.168.2.3: Call Manager (v9.1)
- 192.168.2.247 (v9.1)
If your inside network is the 192.168.6.0, you need to have a static route to the Network with the Call Manager in it. I would suggest pointing it to the Core Router. 
Example:
192.168.6.0/24 to 192.168.2.?/32  
    ? = Core Router
Regards

That is unlikely to be the problem. A major routing problem causes phones to fail to register, not one-way voice.

francisco del cura ferreira · ‎06-10-2013

@Steven. I double checked that point because I thought that was the problem. Routing is ok, between ASA and the router (Core) there is a transit network and ASA is configured to reach those networks through that network. That Core is the default gateway fot 192.168.2.0 and 6.0 networks so routing isn't the problem.

Thanks for posting

francisco del cura ferreira · ‎06-11-2013

Hi all:

I configured the NAT Exemption rule from VPN users network but the problem persists.

I saw something odd, when I connect to VPN, ASA is configure to insert routes to 192.168.2.0 and 192.168.6.0, among others. I configured a capture that collects all packet from and to my VPN IP (192.168.4.130) and launched a ping to 192.168.2.3 and 192.168.6.103 (user).

In the capture I was be able to see the ICMPs packets (request and reply) to .2.3 but packets to 6.103 don't appear in the capture. I dont know why but it seems those packets don't reach ASA. It not only happens to me, to anyone who connects through VPN.

I confirmed 192.168.6.0 is known through VPN tunnel, any idea?.

Regards

bendatcrox · ‎06-13-2013

Hey,
It still sounds like NAT to me.
Can you send me your config?

Thanks.

Sent from Cisco Technical Support iPhone App

francisco del cura ferreira · ‎06-13-2013

We fixed the problem yesterday. As you said, bendatcrox, there was a NAT problem. It was necessary to configure NAT Exemption between 192.168.60.0 and 192.168.4.0, although in that direction the sound during the call worked properly.

Thanks for posting here and try to help me

Regards