cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2151
Views
5
Helpful
2
Replies

SIP through AnyConnect VPN problem

nesko3000
Level 1
Level 1

Dear all,

I have problem with SIP phones which are registered with their public IP on CUCM instead of private address assigned to AnyConnect client. (AnyConnect client for android v4.9, ASA with firepower module v9.8(4))

 

Now, SIP clients are successfully registered on CUCM but there is a problem with audio from Internal clients to AnyConnect SIP clients. Audio from AnyConnect SIP clients to Internal SIP clients is workng and it has been sent through VPN tunnel.

 

After checking ASA I can see that outgoing RTP packets are sent to public IP address of client. When I check CUCM, I can see that phone is registered with public IP of client.

I have turned off SIP inspection within Service Policy Rules on ASA but I get same result.

 

Only thing which helps is when I set Split Tunneling settings to Tunnel All Networks on ASA for AnyConnect instead Tunnel Network List Below.

This way, SIP AnyConnect clients are registered with correct IP address (assigned to VPN client by ASA) and not public one.

 

How can I check does ASA rewrites source IP address in SIP REGISTER message, or there could be some other reason for this behavior?

Thanks!

 

 

 

2 Replies 2

Hi,

Clearly you have a problem with split tunneling. You need to fix your split
tunneling ACL to tunnel the traffic from anyconnect pool to anyconnect
pool, anyconnect pool to cucm server, and anyconnect pool to internal
clients.

**** please remember to rate useful posts

After some testing problem was detected with SIP client application. If split tunnel is set to Tunnel all networks SIP application registers with correct IP address. I believe this is because in this case Any Connect is set as default gateway on client device. If split tunnel is set correctly to tunnel needed subnets, SIP application sends SIP REGISTER message with wrong public IP address.

Other SIP applications do not have this problem.

I only wonder if there is a way to rewrite SIP source IP address on ASA in REGISTER message with IP address which is assigned to client VPN connection. I like this SIP application very much and it works great except in this example.

Review Cisco Networking for a $25 gift card