Solved: VPN Tunnel is up but only Voice traffic is not passing.

Abid Abdullah · ‎12-03-2013

Hi All,

We have a IP network setup with 3 locations Branch-A, Branch-B, Branch-C (Branch-A 5510 Version 8.4(2), Branch-B ASA5510 Version 7.0(8), Branch-C 5505 Version 8.4(4)1).

All the tunnel is up between 3 locations and all the traffic are passing through the tunnel including the voice.

We are facing issue now that all the traffics are passing through the tunnel except Voice between Branch-A and Branch-C.

Attached is the running configuration and network diagram of all the locations.

Please help me out on this issue and thanks alot in advance for your support...

Jouni Forss · ‎12-03-2013

Hi,

There are multiple networks both on Site A and Site C. Can you tell us between which networks the traffic is not working?

- Jouni

View solution in original post

Jouni Forss · ‎12-03-2013

Hi,

There are multiple networks both on Site A and Site C. Can you tell us between which networks the traffic is not working?

- Jouni

Abid Abdullah · ‎12-03-2013

Thanks for your Reply....

Branch-A: object group : object-group network BDOQATAR_Network & object-group network BDOBAHRAIN_Network

Branch-C: object group : object-group network BDOQATAR_Network & object-group network BDOBAHRAIN_Network

below these object group network-object 192.168.42.0 255.255.255.0 is a voice vlan of Branch-C and network-object 192.168.0.0 255.255.255.0 is a voice vlan of Branch-A. issue is that none of the any network can not communicate with Branch-C Voice vlan. rest everything is working fine. they can communicate each other.

Thanks in advance for your support

Jouni Forss · ‎12-04-2013

Hi,

You could try the basic "packet-tracer" test at both sites to confirm that the correct ASA configurations are hit.

Branch A

packet-tracer input inside tcp 192.168.0.100 12345 192.168.42.100 80

Branch C

packet-tracer input inside tcp 192.168.42.100 12345 192.168.0.100 80

The ports and IP addresses I chose randomly.

Please take the command on each unit twice and post the output of the second time you apply the command so we can see that the test matches the correct ASA configurations.

- Jouni

Abid Abdullah · ‎12-08-2013

Hi,

Thanks for your reply.. We solved almost all the issues. Now problem is that from 192.168.1.0/24, can not communcate 192.168.42.100. But from i can reach from 192.168.42.100 to 192.168.1.0/24 range. please find below informations of Packet-tracer.

BRANCH-A ( Bahrain)

BDO-BH-FW# packet-tracer input INSIDE tcp 192.168.1.196 80 192.168.42.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group FR_INSIDE in interface INSIDE

access-list FR_INSIDE extended permit ip object-group OBG-DIRECT-NET any log

object-group network OBG-DIRECT-NET

network-object 192.168.5.49 255.255.255.255

network-object 192.168.5.50 255.255.255.255

network-object 192.168.5.20 255.255.255.255

network-object 192.168.5.10 255.255.255.255

network-object 192.168.5.21 255.255.255.255

network-object 192.168.5.22 255.255.255.255

network-object 192.168.5.23 255.255.255.255

network-object 192.168.5.24 255.255.255.255

network-object 192.168.5.25 255.255.255.255

network-object 192.168.5.26 255.255.255.255

network-object 192.168.22.40 255.255.255.255

network-object 192.168.22.41 255.255.255.255

network-object 192.168.22.42 255.255.255.255

network-object 192.168.50.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 192.168.5.149 255.255.255.255

network-object 192.168.0.0 255.255.255.0

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static BDOBAHRAIN_Network BDOBAHRAIN_Network destination static BDOQATAR_Network BDOQATAR_Network

Additional Information:

Static translate 192.168.1.196/80 to 192.168.1.196/80

Phase: 5

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

BDO-BH-FW#

____________________________________________________________________________________________________________________________________________________________

BRANCH-C(QATAR)

BDOQATARFW# packet-tracer input inside tcp 192.168.40.100 80 192.168.0.2 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static BDOQATAR_Network BDOQATAR_Network destination static BDOBAHRAIN_Network BDOBAHRAIN_Network

Additional Information:

Static translate 192.168.40.100/80 to 192.168.40.100/80

Phase: 4

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2101933, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

BDOQATARFW#