Hello community,

I believe I have ran out of ideas for fixing this issue and I would like some of your help.

The issue is with MS Teams 1-to-1 calls. The call fails to establish from the VPN and the LAN clients. Here is the scenario:

1. We use remote access VPN.
2. There is no split tunneling.
3. Call fails when calling from the VPN to anyone on the LAN side. We have a couple seconds of audio passing and then call is dropped.
4. All traffic between VPN and LAN users is inspected.
5. We have an identity NAT for traffic between the RA VPN and LAN users.
6. We are allowing traffic to MS for UDP port range 3478 - 3481
7. All traffic between VPN and LAN user is allowed.
8. This config is in a FTD running on v. 7.0.5

This is how it goes:

VPN and LAN agents talk to MS and they get their reflective address. After organizing their transport address they decide to run the connectivity tests and after this part I see them finally picking the P2P transport address - in other words, the flow goes from the VPN to the LAN IP address. After each agent gets a successful binding request for all their requests they start sending traffic over but here is the thing:  VPN Agent call the LAN agent and I see the traffic on the inside, LAN agent replies to this binding request BUT the agent in the VPN sees the response coming from the NAT IP address used for INET!! - This INET NAT:Port binding is mapped to the LAN agent reflective address that was created when talking to MS cloud.

The main point here is that VPN agent drops the call because the binding success response with MSG transaction ID X is coming from the NAT IP used for INET instead of the IP address the VPN agent called initially.

Our NAT rules are:

1. LAN-2-VPN maps to LAN-2-VPN (static NAT-Before)
2. VPN-2-VPN maps to VPN-2-VPN (static NAT-Before)
3. LAN-2-Internet maps to OUTSIDE int (dynamic Auto-NAT)
4. VPN-2-Internet maps to OUTSIDE int (dynamic Auto-NAT)

I hope I explained this clearly

Any help is highly appreciated!