09-11-2014 12:02 PM - edited 03-17-2019 12:07 AM
I am the ASA Firewall Administrator where I work, and recently our Telephony group has changed their outbound calling to use SIP. In that we also use AnyConnect VPN Phones none of these (as long as they use a Secure Profile – which encrypts the signaling and payload) cannot make outbound calls.
Well, let me re-phrase that, they can make an outbound call but they hear no audio. AnyConnect VPN Phones that are not using a secure profile work fine.
Obviously this is an issue with the Firewall per se, something I am not doing or something I am doing! Not sure. In that I am not a Telephony guy not sure what to look at! When we first put in SIP the engineer said I needed to add some routes for the SIP Cubes and a NAT rule, both of which were added. However, at the time our testing efforts were performed with a phone that was not using a secure profile.
I know there is a TLS Proxy feature in the ASA – would this solve my issue? I’m thinking yes, because it would allow the ASA to decrypt the traffic, but I want to make sure this is the solution.
If not, what do I need to do, allow, or configure in the ASA Firewall to allow encrypted calls outbound?
Thank you for any assistance any one can provide!
09-11-2014 04:09 PM
Do you have SRTP/SIP inspection, can you try turning that off?
09-12-2014 05:23 AM
Yes, SIP inspection is on. Did you mean "RTSP"? Here are the inspects that are configured:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect h323 h225
inspect h323 ras
09-12-2014 07:42 AM
09-12-2014 08:33 AM
Here are scenarios I have tested:
Internal Cisco 7965 IP Phone w/Secure or Non-Secure Profile:
AnyConnect VPN Phone - Cisco 7965 IP Phone w/Secure Profile:
AnyConnect VPN Phone - Cisco 7965 IP Phone w/Non-Secure Profile:
AnyConnect Laptop – With Cisco Softphone – IP Communicator w/Secure Profile:
The Only scenario that fails is when the call is initiated on an AnyConnect phone that has a secure profile. And the call signaling seems to go through because the phone rings, but when the caller answers there is no audio in either direction.
09-12-2014 10:36 AM
OK, let me know if my thinking is correct, but I think what is happening is that the SIP call is automatically negotiating down to unencrypted between the AnyConnect call and SIP.
Now based on that I am assuming that the firewall could be dropping the traffic because the AnyConnect phone is going out encrypted, but the return payload is coming back unencrypted.
What I have noticed is that signaling and payload work on the way out encrypted, it’s the return traffic that is unencrypted and based on that and knowing the firewall is stateful it must be dropping the traffic.
Our Network admin was able to verify that voice traffic was indeed coming back, but it was unencrypted because he could playback the G.711 audio and hear the voice call. Had it come back encrypted he would not have been able to hear the voice call.
01-19-2018 05:07 AM
Hi,
I have the below problem.
IPPhone to IPPhone in LAN environment.
IP Phone to IPPhone/External Num - Call will get connected, But Blank Audio over Anyconnect VPN to ASA and then to Call Manager.
Please suggest.
01-19-2018 10:42 AM
01-22-2018 03:59 AM
Thanks for the response.
There is not NAT configuration on Anyconnect ASA. The ACL also doesn't denies the traffic to the Call Manager.
Could you please help, how to verify the crypto tunnel to check the communcation.
02-01-2018 10:24 PM
Hi, Yes I identified the missing routes for certain Voice subnets and split tunnel entries, which corrected it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide