Re: UC500 s2s VPN - one way calling strange issue

remi-reszka · ‎03-17-2011

Hi there,

I am having a strange issue. I established a site-2-site IPSec VPN tunnel over GRE. One site has UC540 installed and another UC560. The UC540 has extensions 72xx and UC560 75xx. Now when I call from UC540 to UC560 (say 7220 to 7590) calls flow through and the phone on the other side rings but when I call from UC560 to UC540 (say 7590 to 7220) the phones on the other side dont´t ring, instead I get a message on the 7590 extension "unknown number" and disorder tone.

The funny thing from debugs "debug voice ccapi" on UC540, it looks like it gets hit while while the call is initiatied from UC560 and all looks normal, so all looks like there is communication between sites and the phone on UC540 should be ringing but not.

What could be causing this?

I have voip dial-peers in place and session targets point to each other IP inside local address configured under telephony-service.

Now, most interesting thing!!! When I point session targets in those dial-peers to a the outside local adresses (which are public of course) the phones ring on UC540! Wow! Of course I need to make a hole in the firewall and allow all the traffic between only those UCs but I don´t think it is a good solution.

Anybody had this issue before or has any idea how to resolve it?

Thanks in advance.

Nathan Compton · ‎03-17-2011

Do you have h323 binded to the local interface? I've seen problems over VPN when H323 is not binded to an ip address that is defined as vpn traffic. If doing a Multisite config in CCA, it wlll bind h323 to a local interface.

Adam Compton

remi-reszka · ‎03-17-2011

Hi Nathan. That´s a good point. I don´t usually use CCA but in this case how do you bind H.323 to an interface? From within CLI it would be directly under the interface?

David Trad · ‎03-17-2011

Hi Remi,

This is an example of what one system I did via CLI, but you would have to modify it I guess to your need.

interface BVI101

ip address 10.1.2.1 255.255.255.0

h323-gateway voip interface

h323-gateway voip bind srcaddr 10.1.2.1

If you need anything else let us know

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

remi-reszka · ‎03-20-2011

Hi David,

Thanks for the commands. I did actually apply them to both UC540 and UC560 and when I point dial-peers to their internal addresses still no luck.

I am applying the static crypto maps to the Dialer1 and Tunnel1 interfaces on UC540 and Gigabit0/0 and Tunnel1 interfaces on UC560. I also use transform sets in transport mode since I am tunneling IPSec through GRE.

Do you have a working config with 2 UC500s talking to each other over VPN? If so could you share it please?

Thanks.

David Trad · ‎03-20-2011

Hi Remi,

I might be missing some stuff as I am rushing this one in, sadly being Monday I have a little on my plate this morning:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

lifetime 28800

crypto isakmp key address XXX.XXX.XXX.XXX

!

crypto ipsec transform-set IPSECVPN esp-3des esp-sha-hmac

!

crypto map IPSECVPN 10 ipsec-isakmp

description Tunnel to XXX.XXX.XXX.XXX Head Office

set peer XXX.XXX.XXX.XXX

set transform-set IPSECVPN

match address 121 <----- This is important as it need to match the correct ACL or Extended ACL

This is the Dialer Config that was used:

interface Dialer0

ip address negotiated

ip access-group 170 in

ip mtu 1452

ip inspect Firewall out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname

ppp chap password 0

ppp pap sent-username password 0

crypto map IPSECVPN

Stuff in red might be of interest for you...

This is an outline of what the ACL looks like:

access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 121 permit ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 121 permit ip 10.10.10.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 170 remark *** Start - Outside to Inside ACL***

access-list 170 permit udp host 192.231.203.132 eq ntp any

access-list 170 permit icmp any any

access-list 170 permit ip host XXX.XXX.XXX.XXX any <----- This is the other sides WAN IP address

access-list 170 permit tcp any any eq 22

access-list 170 permit esp any any

access-list 170 permit udp any any eq isakmp

access-list 170 permit udp any any eq non500-isakmp

access-list 170 permit tcp any any established

access-list 170 permit udp host 192.231.203.132 eq domain any

access-list 170 permit udp host 192.231.203.3 eq domain any

access-list 170 permit ip host XXX.XXX.XXX.XXX any <----- This is the other sides WAN IP address

access-list 170 deny ip any any log

dialer-list 1 protocol ip permit

Again Red is important and you will need to change the subnet's according to what your network runs, this is only an example...

You may also need this:

ip nat inside source route-map NONAT interface Dialer0 overload

I point out that the configs should look identical at both sites minus the changes that need to be there for that particular site, so the ACL's may be a little different but ultimately they should be close to each other...

Hope this helps you out.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *