cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

310
Views
0
Helpful
10
Replies
Highlighted
Beginner

phone behind 5505 site2site registering

Hi, needing help here,

 

I have setup a pair of 1841s site2site with static IP at HQ and dynamic IP remote.  PC and a Cisco 8861(with a PoE adapter) behind the 1841 all work fine.

 

Then I took an ASA5505 (want to use its PoE port), setup as remote dynamic IP.  PC connecting to ASA works, phone stays at "Registering".  I can ping the phone's IP from HQ, though.

 

Checked the ASA, option 150 is set, tftp inspection is set, NAT exempt is set (PC's totally working, all subnets, including pinging the CUCM at HQ).  What else do I need to check?

 

Any help is greatly appreciated.

 

Thanks,

10 REPLIES 10
Highlighted
Beginner

Re: phone behind 5505 site2site registering

Hi,

Reset phone.

Highlighted
Beginner

Re: phone behind 5505 site2site registering

I did.  Many times.  Still stops at "Phone is registering".

 

So, today I reversed it.  Setup an 5505 at HQ as Dynamic VPN server, an 1841 at remote site as VPN client.  Again, PC works fine, all subnets reachable.  Phone still registering.

 

Then, change the remote to 5505, PC works, Phone registering.

 

So far the only combo works for the phone is a pair of IOS routers.  There must be some firewall functions in ASA that blocks  specific VoIP traffic.  Can anyone that ever got an IP phone work behind an ASA share your experience and configuration?

 

Thanks.

Highlighted
Beginner

Re: phone behind 5505 site2site registering

can you browse config of asa?

Highlighted
Collaborator

Re: phone behind 5505 site2site registering

Hi,

  

    Can you temporarily disable SIP, Skinny and H323 inspection?

 

policy-map global_policy

 class inspection_default

  no inspect h323 h225

  no inspect h323 ras

  no inspect skinny

  no inspect sip

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: phone behind 5505 site2site registering

Thanks for the response.  I tried but still not working.  I have also tried turning tftp inspection on and off.  makes no difference.

Highlighted
Collaborator

Re: phone behind 5505 site2site registering

Hi,

 

    1. Unplug the phone.

    2. Configure and start a regular packet capture and an asp-drop packet capture on the interface facing the phone. Use this guide.

    3. Issue on the ASA "clear asp-drop".

    4. Plug the phone, let the captures run for a while.

    5. Post the output of "show asp-drop" and both packet-captures.

 

Regards,

Cristian Matei.

 

Highlighted
Beginner

Re: phone behind 5505 site2site registering

show asp drop

 

Flow is denied by configured rule (acl-drop) 13
First TCP packet not SYN (tcp-not-syn) 83
TCP failed 3 way handshake (tcp-3whs-failed) 7
TCP RST/FIN out of order (tcp-rstfin-ooo) 5
Slowpath security checks failed (sp-security-failed) 24
Dropped pending packets in a closed socket (np-socket-closed) 10

 

Phone at remote site : 10.0.202.108

CUCM at HQ: 10.0.102.11

 

Thanks,

 

 

Highlighted
Beginner

Re: phone behind 5505 site2site registering

 
Highlighted
Collaborator

Re: phone behind 5505 site2site registering

Hi,

 

   I see there is communication between the IP Phone and CUCM. What do the logs on CUCM say? Can you upgrade your ASA to the latest supported version of 9.1(7)?

 

Regards,

Cristian Matei.

 

Highlighted
Beginner

Re: phone behind 5505 site2site registering

Checked RTMT, nothing for the Phone when it was connecting via ASA.  

The 5505 is on "Cisco Adaptive Security Appliance Software Version 9.1(7)32".  I believe is the latest.

 

It just got me thinking.  I remembered that I have done a pair 5505 site to site a while ago with both sites on static IPs and it worked.  Unfortunately this is not the time to test two static IPs. (Covid-19)  There must be something about one site dynamic IP setting that prevent the HQ to talk back.