03-31-2020 04:12 PM
Hi, needing help here,
I have setup a pair of 1841s site2site with static IP at HQ and dynamic IP remote. PC and a Cisco 8861(with a PoE adapter) behind the 1841 all work fine.
Then I took an ASA5505 (want to use its PoE port), setup as remote dynamic IP. PC connecting to ASA works, phone stays at "Registering". I can ping the phone's IP from HQ, though.
Checked the ASA, option 150 is set, tftp inspection is set, NAT exempt is set (PC's totally working, all subnets, including pinging the CUCM at HQ). What else do I need to check?
Any help is greatly appreciated.
Thanks,
04-01-2020 01:16 PM
Hi,
Reset phone.
04-02-2020 01:17 PM
I did. Many times. Still stops at "Phone is registering".
So, today I reversed it. Setup an 5505 at HQ as Dynamic VPN server, an 1841 at remote site as VPN client. Again, PC works fine, all subnets reachable. Phone still registering.
Then, change the remote to 5505, PC works, Phone registering.
So far the only combo works for the phone is a pair of IOS routers. There must be some firewall functions in ASA that blocks specific VoIP traffic. Can anyone that ever got an IP phone work behind an ASA share your experience and configuration?
Thanks.
04-02-2020 10:51 PM
can you browse config of asa?
04-03-2020 12:18 AM
Hi,
Can you temporarily disable SIP, Skinny and H323 inspection?
policy-map global_policy
class inspection_default
no inspect h323 h225
no inspect h323 ras
no inspect skinny
no inspect sip
Regards,
Cristian Matei.
04-03-2020 07:21 AM
Thanks for the response. I tried but still not working. I have also tried turning tftp inspection on and off. makes no difference.
04-04-2020 06:09 AM
Hi,
1. Unplug the phone.
2. Configure and start a regular packet capture and an asp-drop packet capture on the interface facing the phone. Use this guide.
3. Issue on the ASA "clear asp-drop".
4. Plug the phone, let the captures run for a while.
5. Post the output of "show asp-drop" and both packet-captures.
Regards,
Cristian Matei.
04-07-2020 02:07 PM - edited 04-07-2020 02:13 PM
show asp drop
Flow is denied by configured rule (acl-drop) 13
First TCP packet not SYN (tcp-not-syn) 83
TCP failed 3 way handshake (tcp-3whs-failed) 7
TCP RST/FIN out of order (tcp-rstfin-ooo) 5
Slowpath security checks failed (sp-security-failed) 24
Dropped pending packets in a closed socket (np-socket-closed) 10
Phone at remote site : 10.0.202.108
CUCM at HQ: 10.0.102.11
Thanks,
04-07-2020 02:08 PM - edited 04-07-2020 02:09 PM
04-08-2020 05:57 AM
Hi,
I see there is communication between the IP Phone and CUCM. What do the logs on CUCM say? Can you upgrade your ASA to the latest supported version of 9.1(7)?
Regards,
Cristian Matei.
04-08-2020 05:15 PM
Checked RTMT, nothing for the Phone when it was connecting via ASA.
The 5505 is on "Cisco Adaptive Security Appliance Software Version 9.1(7)32". I believe is the latest.
It just got me thinking. I remembered that I have done a pair 5505 site to site a while ago with both sites on static IPs and it worked. Unfortunately this is not the time to test two static IPs. (Covid-19) There must be something about one site dynamic IP setting that prevent the HQ to talk back.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: