03-17-2011 06:10 AM - edited 03-21-2019 03:48 AM
Hi there,
I am having a strange issue. I established a site-2-site IPSec VPN tunnel over GRE. One site has UC540 installed and another UC560. The UC540 has extensions 72xx and UC560 75xx. Now when I call from UC540 to UC560 (say 7220 to 7590) calls flow through and the phone on the other side rings but when I call from UC560 to UC540 (say 7590 to 7220) the phones on the other side dont´t ring, instead I get a message on the 7590 extension "unknown number" and disorder tone.
The funny thing from debugs "debug voice ccapi" on UC540, it looks like it gets hit while while the call is initiatied from UC560 and all looks normal, so all looks like there is communication between sites and the phone on UC540 should be ringing but not.
What could be causing this?
I have voip dial-peers in place and session targets point to each other IP inside local address configured under telephony-service.
Now, most interesting thing!!! When I point session targets in those dial-peers to a the outside local adresses (which are public of course) the phones ring on UC540! Wow! Of course I need to make a hole in the firewall and allow all the traffic between only those UCs but I don´t think it is a good solution.
Anybody had this issue before or has any idea how to resolve it?
Thanks in advance.
03-17-2011 07:27 AM
Do you have h323 binded to the local interface? I've seen problems over VPN when H323 is not binded to an ip address that is defined as vpn traffic. If doing a Multisite config in CCA, it wlll bind h323 to a local interface.
Adam Compton
03-17-2011 01:55 PM
Hi Nathan. That´s a good point. I don´t usually use CCA but in this case how do you bind H.323 to an interface? From within CLI it would be directly under the interface?
03-17-2011 03:05 PM
Hi Remi,
This is an example of what one system I did via CLI, but you would have to modify it I guess to your need.
interface BVI101
ip address 10.1.2.1 255.255.255.0
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.1.2.1
If you need anything else let us know
Cheers,
David.
03-20-2011 03:42 PM
Hi David,
Thanks for the commands. I did actually apply them to both UC540 and UC560 and when I point dial-peers to their internal addresses still no luck.
I am applying the static crypto maps to the Dialer1 and Tunnel1 interfaces on UC540 and Gigabit0/0 and Tunnel1 interfaces on UC560. I also use transform sets in transport mode since I am tunneling IPSec through GRE.
Do you have a working config with 2 UC500s talking to each other over VPN? If so could you share it please?
Thanks.
03-20-2011 04:48 PM
Hi Remi,
I might be missing some stuff as I am rushing this one in, sadly being Monday I have a little on my plate this morning:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key
!
!
crypto ipsec transform-set IPSECVPN esp-3des esp-sha-hmac
!
crypto map IPSECVPN 10 ipsec-isakmp
description Tunnel to XXX.XXX.XXX.XXX Head Office
set peer XXX.XXX.XXX.XXX
set transform-set IPSECVPN
match address 121 <----- This is important as it need to match the correct ACL or Extended ACL
This is the Dialer Config that was used:
interface Dialer0
ip address negotiated
ip access-group 170 in
ip mtu 1452
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
password 0 crypto map IPSECVPN
Stuff in red might be of interest for you...
This is an outline of what the ACL looks like:
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 121 permit ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 121 permit ip 10.10.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 170 remark *** Start - Outside to Inside ACL***
access-list 170 permit udp host 192.231.203.132 eq ntp any
access-list 170 permit icmp any any
access-list 170 permit ip host XXX.XXX.XXX.XXX any <----- This is the other sides WAN IP address
access-list 170 permit tcp any any eq 22
access-list 170 permit esp any any
access-list 170 permit udp any any eq isakmp
access-list 170 permit udp any any eq non500-isakmp
access-list 170 permit tcp any any established
access-list 170 permit udp host 192.231.203.132 eq domain any
access-list 170 permit udp host 192.231.203.3 eq domain any
access-list 170 permit ip host XXX.XXX.XXX.XXX any <----- This is the other sides WAN IP address
access-list 170 deny ip any any log
dialer-list 1 protocol ip permit
Again Red is important and you will need to change the subnet's according to what your network runs, this is only an example...
You may also need this:
ip nat inside source route-map NONAT interface Dialer0 overload
I point out that the configs should look identical at both sites minus the changes that need to be there for that particular site, so the ACL's may be a little different but ultimately they should be close to each other...
Hope this helps you out.
Cheers,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide