08-02-2010 05:22 AM - edited 03-11-2019 11:19 AM
I am running into the following issue. I have a currently workin ASA5505, clients can get VPN and do what they need to do. We recently added an Allworx VoIP system that uses SIP.
The ports that are required are:
SIP TCP 5050
SIP UDP 5060
BLF UDP 2088
RTP UDP 15000-15511
Mgmt TCP 8080
We are having our clients get VPN into the network before they can use the softphone application (Xlite) on the network. When our clients get VPN, they can place a call, but are unable to hear audio in either direction.
I am attaching our configuration from the ASA.
Thanks
Solved! Go to Solution.
08-02-2010 08:33 AM
Hello,
Seems like you have configured your VoIP server to be NAT aware i.e. the server knows the public IP address it will be using when going to internet. So, it modifies the message headers accordingly when trying to reach subnets out of its own IP.You can see it from the capture:
<431>431>
Can you turn-off the NAT aware feature (typically it will be a field where you need to specify the public IP on the server) and see if that helps.
Regards,
NT
08-02-2010 05:34 AM
Is the voice call between two softphones installed on clients connecting via vpn or between softphone and any external number?
08-02-2010 05:40 AM
The calls are from the Softphone to internal extensions and to external phone numbers. The internal extensions will ring, but neither party can hear exch other.
08-02-2010 05:54 AM
hmmm..so if i am not wrong in the voice concept, its basically the rtp stream thats failing . Since the call is setting up right, you are able to reach the call manager and register fine. for audio, it is direct traffic(rtp stream) between the phones. So you would have to check if that connectivity is there for that to flow without disruption. The vpn clients are doing a full tunnel so all traffic is tunneled back to the ASA. Now the ASA has to know how to send that rtp traffic directly to the other phone. I am not sure exactly how the voice protocols work but I guess this is a start.
08-02-2010 07:29 AM
Hello,
Are you able to make and receive calls from your internal LAN hosts? If that is working, then the firewall is doing the inspections properly. We need to see if the traffic is actually traversing through the VPN tunnel. Can you configure a capture on the firewall to see if we are getting any traffic to/from the VPN clients?
access-list capture permit ip 192.168.30.0 255.255.255.0 host 192.168.1.200
access-list capture permit ip host 192.168.1.200 192.168.30.0 255.255.255.0
capture capin access-list capture interface inside
capture capvpn type webvpn user
This will help us understand if the traffic is actually traversing through the VPN tunnel and help us narrowdown the root cause.
Hope this helps.
Regards,
NT
08-02-2010 07:45 AM
08-02-2010 07:57 AM
Another suggestion would be to run capture on the client itself when you try to make a call to see where its failing.
08-02-2010 08:11 AM
I am attaching a capture of the client side. I made a test call and all I am seeing are the SIP signalling messages. No RTP.
08-02-2010 08:33 AM
Hello,
Seems like you have configured your VoIP server to be NAT aware i.e. the server knows the public IP address it will be using when going to internet. So, it modifies the message headers accordingly when trying to reach subnets out of its own IP.You can see it from the capture:
<431>431>
Can you turn-off the NAT aware feature (typically it will be a field where you need to specify the public IP on the server) and see if that helps.
Regards,
NT
08-02-2010 09:48 AM
Naqaraja,
Thanks for the direction. I was thinking that the ASA was making that change to the SIP. I have contacted our vendor and he removed the public ip address from the Allworxs server. It is working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide