cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1422
Views
0
Helpful
10
Replies

phone behind 5505 site2site registering

TCADM
Level 1
Level 1

Hi, needing help here,

 

I have setup a pair of 1841s site2site with static IP at HQ and dynamic IP remote.  PC and a Cisco 8861(with a PoE adapter) behind the 1841 all work fine.

 

Then I took an ASA5505 (want to use its PoE port), setup as remote dynamic IP.  PC connecting to ASA works, phone stays at "Registering".  I can ping the phone's IP from HQ, though.

 

Checked the ASA, option 150 is set, tftp inspection is set, NAT exempt is set (PC's totally working, all subnets, including pinging the CUCM at HQ).  What else do I need to check?

 

Any help is greatly appreciated.

 

Thanks,

10 Replies 10

parviz
Level 1
Level 1

Hi,

Reset phone.

I did.  Many times.  Still stops at "Phone is registering".

 

So, today I reversed it.  Setup an 5505 at HQ as Dynamic VPN server, an 1841 at remote site as VPN client.  Again, PC works fine, all subnets reachable.  Phone still registering.

 

Then, change the remote to 5505, PC works, Phone registering.

 

So far the only combo works for the phone is a pair of IOS routers.  There must be some firewall functions in ASA that blocks  specific VoIP traffic.  Can anyone that ever got an IP phone work behind an ASA share your experience and configuration?

 

Thanks.

can you browse config of asa?

Hi,

  

    Can you temporarily disable SIP, Skinny and H323 inspection?

 

policy-map global_policy

 class inspection_default

  no inspect h323 h225

  no inspect h323 ras

  no inspect skinny

  no inspect sip

 

Regards,

Cristian Matei.

Thanks for the response.  I tried but still not working.  I have also tried turning tftp inspection on and off.  makes no difference.

Hi,

 

    1. Unplug the phone.

    2. Configure and start a regular packet capture and an asp-drop packet capture on the interface facing the phone. Use this guide.

    3. Issue on the ASA "clear asp-drop".

    4. Plug the phone, let the captures run for a while.

    5. Post the output of "show asp-drop" and both packet-captures.

 

Regards,

Cristian Matei.

 

show asp drop

 

Flow is denied by configured rule (acl-drop) 13
First TCP packet not SYN (tcp-not-syn) 83
TCP failed 3 way handshake (tcp-3whs-failed) 7
TCP RST/FIN out of order (tcp-rstfin-ooo) 5
Slowpath security checks failed (sp-security-failed) 24
Dropped pending packets in a closed socket (np-socket-closed) 10

 

Phone at remote site : 10.0.202.108

CUCM at HQ: 10.0.102.11

 

Thanks,

 

 

 

Hi,

 

   I see there is communication between the IP Phone and CUCM. What do the logs on CUCM say? Can you upgrade your ASA to the latest supported version of 9.1(7)?

 

Regards,

Cristian Matei.

 

Checked RTMT, nothing for the Phone when it was connecting via ASA.  

The 5505 is on "Cisco Adaptive Security Appliance Software Version 9.1(7)32".  I believe is the latest.

 

It just got me thinking.  I remembered that I have done a pair 5505 site to site a while ago with both sites on static IPs and it worked.  Unfortunately this is not the time to test two static IPs. (Covid-19)  There must be something about one site dynamic IP setting that prevent the HQ to talk back.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: