Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Phone "No Service" at VPN site.

    I just setup a remote VPN site using a Cisco ASA5520, and an ASA5505. The VPN connection is working great. All IP traffic is able to flow between the remote site, and the HQ.

    I cannot get the IP phone to come online though.

    They boot.
    Get an IP address.
    Receive option 66, and 156.
    Download the code from ftp.
    Request service for about 2-3 minuets then go "no service".

    I can see the phone listed in "Individual IP Phone" with the IP from the remote site. I have plenty of IP phone ports avaliable on my switches.

    I can ping the phone from my server. I can ping the servers from my remote VPN site. I am not sure what else could be the problem.

    Response time is normally around 30-40ms I have seen it jump to about 300ms.

    Not quite sure where to go from here.

    Thanks.

  • #2
    Do you have the remote IP range listed in the IP phone map for the site? Are the phones at the remote site connected to a switch at the remote site or are they taking to the switch at the HQ site?

    D.

    Comment


    • #3
      The remote IP range is in the IP phone map, and they connect to a switch at the HQ. The remote site does not have any switches.

      Comment


      • #4
        What ports do you have open on the tunnel. The DHCP and FTP are using "standard" ports, however, the phones use various UDP ports, are those open on the tunnel. I used to use ASA's a while back and I always had some sort of strange behavior.

        Comment


        • #5
          Actually, one more possibility is that you are using NAT at one of your sites rather than routing the traffic. I have seen this before where an interface is NAT'ing the traffic and it won't work, you will get the symptom you are seeing.

          D.

          Comment


          • #6
            I allow all IP TCP/UDP traffic over the VPN tunnel. I have tested other apps and they all work. The phone starts requesting service, and I can see the remote site IP assigned to the phone in the IP Phones list.

            I can ping the remote phone from the server, and the server from the remote site. I have checked what IP address is presented from the remote site, and its not going through NAT.

            Comment


            • #7
              Well I finally got it figured out. We had an ACL in the inbound interface on our firewall.

              It seems I did not have the hardware VPN to bypass the ACL so I could ping (I allow ICMP in the ACL), but other traffic to the remote site was being stopped. Sessions started from the remote site worked due to the firewall being statefull. Once I added a permit statement for all traffic destined to the remote site it seems to be working.

              Comment


              • #8
                Those darn ACL/FW rules will get you everytime. :-)

                Comment

                Working...
                X