Hi, needing help here,
I have setup a pair of 1841s site2site with static IP at HQ and dynamic IP remote. PC and a Cisco 8861(with a PoE adapter) behind the 1841 all work fine.
Then I took an ASA5505 (want to use its PoE port), setup as remote dynamic IP. PC connecting to ASA works, phone stays at "Registering". I can ping the phone's IP from HQ, though.
Checked the ASA, option 150 is set, tftp inspection is set, NAT exempt is set (PC's totally working, all subnets, including pinging the CUCM at HQ). What else do I need to check?
Any help is greatly appreciated.
I did. Many times. Still stops at "Phone is registering".
So, today I reversed it. Setup an 5505 at HQ as Dynamic VPN server, an 1841 at remote site as VPN client. Again, PC works fine, all subnets reachable. Phone still registering.
Then, change the remote to 5505, PC works, Phone registering.
So far the only combo works for the phone is a pair of IOS routers. There must be some firewall functions in ASA that blocks specific VoIP traffic. Can anyone that ever got an IP phone work behind an ASA share your experience and configuration?
Can you temporarily disable SIP, Skinny and H323 inspection?
no inspect h323 h225
no inspect h323 ras
no inspect skinny
no inspect sip
Thanks for the response. I tried but still not working. I have also tried turning tftp inspection on and off. makes no difference.
1. Unplug the phone.
2. Configure and start a regular packet capture and an asp-drop packet capture on the interface facing the phone. Use this guide.
3. Issue on the ASA "clear asp-drop".
4. Plug the phone, let the captures run for a while.
5. Post the output of "show asp-drop" and both packet-captures.
show asp drop
Flow is denied by configured rule (acl-drop) 13
First TCP packet not SYN (tcp-not-syn) 83
TCP failed 3 way handshake (tcp-3whs-failed) 7
TCP RST/FIN out of order (tcp-rstfin-ooo) 5
Slowpath security checks failed (sp-security-failed) 24
Dropped pending packets in a closed socket (np-socket-closed) 10
Phone at remote site : 10.0.202.108
CUCM at HQ: 10.0.102.11
I see there is communication between the IP Phone and CUCM. What do the logs on CUCM say? Can you upgrade your ASA to the latest supported version of 9.1(7)?
Checked RTMT, nothing for the Phone when it was connecting via ASA.
The 5505 is on "Cisco Adaptive Security Appliance Software Version 9.1(7)32". I believe is the latest.
It just got me thinking. I remembered that I have done a pair 5505 site to site a while ago with both sites on static IPs and it worked. Unfortunately this is not the time to test two static IPs. (Covid-19) There must be something about one site dynamic IP setting that prevent the HQ to talk back.