Cisco IP phone via vpn to Cisco ASA

SoftSign
SoftSign used Ask the Experts™
on
Hi All,

I have two offices with a PIX 515 at one end and a PIX 506E at the other. On the site with the 506E we also have call manager express running with 6+ IP phones connected. On the site with the 515 there is one Cisco 7940 IP phone which connects to the Call manager via a VPN tunnel between the 515 and 506E and this is all working fine.
I'm currently trying to change the 506E for a Cisco ASA 5510. I have everything working fine. VPN comes up ok and traffic flows between PCs and servers without any problems or disconnects. The problem is the IP phone, It can't maintain a stable connection to the Call manager. It will sit happly for 10 mins you can make calls ok and then it will lose connection to the CM and eventually reboot. Other times it will be ok for 40 mins before it starts playing up.
If I revert back to the PIX 506E everything work fine again, it just happens when the ASA is involved.

Any ideas or settings I could make to resolve this?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant
Commented:
What fixups are listed on the 506E config?

Author

Commented:
On the 506E:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

And the ASA thats replacing it:

  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
Les MooreSr. Systems Engineer
Top Expert 2008
Commented:
What version OS on the ASA5510?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Are you sure Voice is prioritized over your data traffic on your Pix and ASA?

Here is an excellent article on how to configure QoS on those devices: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Author

Commented:
Irmoore: The ASA5510 is running version 7.2(2)
And the 515E at the other end is on version 6.3(4)

AdamComp: Thanks for the link, I have setup prioritization on the ASA but not the PIX! as the software version is to old. But I'm not that worried about the PIX end as there are only 2 pcs and the phone attached. For testing I usually disconnect the 2 PCs and only have the phone connected.
This hasn't made any difference to the problem.

I started debugging the skinny inspection and found that if I remove the skinny inspection on the ASA the phone started working fine! I also tried removing the skinny inspection at the pix end but this didn't make any difference the phone still lost connection.
So basically I can get the phone to work if leave skinny inspection on PIX and remove it from the ASA.
debug output:-

Debug skinny from the ASA

SKINNY:: Non-proxy forward 28 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationClearPriNotifyMessageID, 16 bytes
SKINNY:: Non-proxy forward 16 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationClearPriNotifyMessageID, 16 bytes
SKINNY:: Non-proxy forward 16 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationClearNotifyMessageID, 12 bytes
SKINNY:: Non-proxy forward 12 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationDisplayPromptStatusMessageID, 56 bytes
SKINNY:: Non-proxy forward 56 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationClearPriNotifyMessageID, 16 bytes
SKINNY:: Non-proxy forward 16 bytes
SKINNY:: 12:47:15 AM received packet from inside:172.16.59.5/2000 to outside:172.17.1.100/50642
SKINNY:: StationClearPriNotifyMessageID, 16 bytes
SKINNY:: Non-proxy forward 16 bytes

Debug skinny from the PIX

746: SKINNY:: 11:43:35 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
747: SKINNY:: StationCallStateMessageID
748: SKINNY:: 11:43:35 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
749: SKINNY:: StationClearPromptStatusMessageID
750: SKINNY:: 11:43:35 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
751: SKINNY:: StationSelectSoftKeysMessageID
752: SKINNY:: 11:43:35 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
753: SKINNY:: StationDisplayPromptStatusMessageID
754: SKINNY:: 11:43:35 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
755: SKINNY:: StationStartToneMessageID
756: SKINNY:: 11:43:36 PM received packet from outside:172.16.59.5/2000 to inside:172.17.1.100/50470
757: SKINNY:: StationClearPromptStatusMessageID


Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Seems like several of the inspects cause issues with 7.x
You might try 7.2.2.18 if you have CCO access to download.
Also suggest updating the PIX end to 6.3(5)


Author

Commented:
Sorry for the delay, Got called away on business.
I've tried upgrading software versions at both ends and also tried different firmware on the phones. But the only way to get a stable connection for the IP phone is to remove the inspect skinny on the ASA. I'm going leave the inspect out in the mean time and try it each time there is a new software release.

Thanks for your help :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial