Re: problem in asa vpn between 2 branches

hunterman · ‎02-26-2019

Hello everyone, I have 2 branches connected by vpn with ASA cisco firewall "5506 x and 5526 x", setup with branches voip server Asterisk server,all configure as well working, The ip phone's calling in branch 1 as well and the audio working fine as local between ip phone's, The ip phone's calling in branch 2 as well and the audio working fine as local between ip phone's, when i calling between 2 branches with used vpn by asa, The extension can call between 2 branches from 2 way but the problem was in branch 1 can make hear audio from extension in branch 2 BUT branch 2 can't hear the branch 1 and the same time can talking (the extension can hear directly from extension in branch 2)? I search in google and found the problem in RTP in asa how can solve the problem? Any help

Abheesh Kumar · ‎02-26-2019

Hi,
One way Voice is normally a routing issue, Please check both the voice subnets are allowed on the interesting traffic of VPN.
If you allowed all these subnets then Try disabling SIP inspection and check.
policy-map global_policy
class inspection_default

no inspect sip

HTH
Abheesh

hunterman · ‎02-26-2019

Thank you for your replay

I'm checked in ASA and already we don't have SIP inspect "no SIP inspect", And checked the all subnets was corrected and the 2 branches was reachable, IF you know that the ping between the 2 branches it's working and http and other services it's worked but only the problem in voip,

Any advice and help

THANKS

Dennis Mink · ‎02-26-2019

So if you are saying you can route between phones by means of pinging between phones. Then as a test open up all high udp rtp ports between the two phones and test again. I would suggest to turn sip inspection on. Unless you have a good reason not to.

Please remember to rate useful posts, by clicking on the stars below.

hunterman · ‎02-27-2019

I'm checked in ASA and capture the photo below to see the problem and how can resolve that, You can see the photo after the replay comment.

hunterman · ‎02-27-2019

hunterman · ‎02-27-2019

hunterman · ‎02-27-2019

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse

flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to

NAT reverse path failure.

An attempt to connect to a mapped host using its actual address was rejected.

hunterman · ‎02-28-2019

Dear Dennis Mink,
After i checked more than times, I'm solved the problem with your method, The solving when i added SIP inspection and enabled it in ASA firewall the call between 2 branches was working fine from 2 way. and the audio was working between them,
Thank you for your helping me.
I will rate your answer

Dennis Mink · ‎02-28-2019

no problem, you can mark the comment as the solution. good to hear

Please remember to rate useful posts, by clicking on the stars below.

hunterman · ‎03-01-2019

The problem was back again and the sniffer inside of asa was the error message,
The message: Asymmetric NAT
" %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure."
Can you help me again