One way audio over VPN

benjamin.a · ‎01-24-2013

I have 2 Cisco 1941 routers with a standard IPSec tunnel between them. Data works fine, but VoIP is encountering a one way audio issue where the remote site calling cannot be heard but they can hear me. This seems to match what I'm seeing in encaps and decaps. The quesion I'm having is why would the remote site be encapsulating all packets but the office router isn't decaping these audio packets. I isolated one phone specifically so that's why the SA is for only 1 host.

Thanks!

OFFICE ROUTER

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.90.91.6/255.255.255.255/0/0)

current_peer REMOTE_IP port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4104, #pkts encrypt: 4104, #pkts digest: 4104

#pkts decaps: 375, #pkts decrypt: 375, #pkts verify: 375

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.0.227, remote crypto endpt.: REMOTE_IP

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x69C77389(1774678921)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xEA4A3FF9(3930734585)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2095, flow_id: Onboard VPN:95, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4409444/1207)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

REMOTE ROUTER

protected vrf: (none)

local ident (addr/mask/prot/port): (10.90.91.6/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

current_peer IP_OFFICE port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4055, #pkts encrypt: 4055, #pkts digest: 4055

#pkts decaps: 4099, #pkts decrypt: 4099, #pkts verify: 4099

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: IP_REMOTE, remote crypto endpt.: IP_OFFICE

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xEA4A3FF9(3930734585)

PFS (Y/N): N, DH group: none

Michal Garcarz · ‎01-24-2013

Hi Ben,

1. Please run Embedded packet capture on both sides on outside interface - and then compare number of ESP packets - to make sure office router actually receives that traffic - and that it has correct SPI in header (corresponding to that tunnel).

2. Do you use any NAT rules for that RTP stream ?

3. Do you use CBAC or ZBF with sip inspection ? (did you try to disable it ?)

---

Michal

benjamin.a · ‎01-24-2013

Thanks Michal.

1) I have taken these buffer captures. The capture associated with "outside" is short when compared with the number of packets from the "inside" capture in the amount that is most likely associated with the call we placed.

2) Not NAT at all.

3) No CBAC or ZBF, unless some default that I'm not aware of. Not sure off hand how to disable those.

I did get this case through to TAC but after 3 hours we are left at comparing the capture buffers.