VIOP over VPN tunnel not working - phone rings, but no Voice !! - all other traffic is ok.

Posted on 2007-10-03
Medium Priority
Last Modified: 2011-10-20
we have an IPsec vpn tunnel established between 2 of our sites. one site is running a Soniccwall TZ170 device and the other is running ISA 2004.  Tunnel is up and running and all traffic is flowing ok - virtually no dropped packets and can essentially ping every device on either side of the Tunnel. We have an IP phone system and want to utilize VOIP across the tunnel and the problem we have is that the  phones ring at either end but there is NO VOICE transmission, i.e. the phone rings, you pikc up the line and it is dead.
Any insights/help would be truly appreciated.


Question by:soshe
LVL 36

Expert Comment

ID: 20012400
This is an unusual problem to have across a VPN. It is common when you are going through NAT.

I assume the protocol your VoIP system uses is SIP?

SIP uses port 5060 (typically) for the general communication and then the actual voice traffic is sent over the RTP (UDP based) protocol. There is no specific port number RTP uses as it is typically defined on the actual VoIP units themselves. It sounds like the SIP packets are going across ok but for some reason RTP is being blocked.

I would double check that you are not blocking any traffic over the VPN.
LVL 19

Expert Comment

ID: 20017117
A SIP server, such as a VoIP telephone system or PBX, can act as a bridge between SIP UA's (the phones) allowing the UA's to communicate with each other using the SIP protocol. However, during call setup, the UA's will normally try to establish a direct communication path for the RTP media stream - i.e. they would bypass the intermediate SIP server or phone system and talk directly to each other.

Maybe the problem isn't due to blocked IP traffic at the firewalls/routers, but that the phone at the remote site is sending an inappropriate IP address within the SDP in the SIP packets. This is used to establish the direct communication path between UA's for the RTP media stream. Another possibility is that the phones cannot reach each other directly because of the way your network routers are organised and the default gateways configured on the IP phones, but they can both reach the SIP server/PBX. Are all the phones on internal subnets?

As grblades says, it is much more usual to have a problem connecting through NAT than through VPN. Most IP phones therefore include configurable options to help them get around the NAT problems. This is just an idea, but I wonder if it could be that your IP phone is configured for a NAT environment when it shouldn't be. For example, check to see if the IP phone at the remote site is configured to use STUN - if it is, disable that option.

Expert Comment

ID: 20031131
hi there

it looks like the rtp is getting blocked by your firewall.

1 : restart the firewall

2: configure you firewall to accept rtp session ,  a good tool is http://www.microsoft.com/technet/sysinternals/utilities/tcpview.mspx .

let me know if you still need help

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 20052299
thanks all for the replies. I will look into it and respond.
LVL 22

Expert Comment

by:Reid Palmeira
ID: 20053235
just to add in, a couple extra thoughts.

As already noted it appears whatever signalling you're using (assumption is SIP) is going through since the phones ring, but RTP is being blocked. RTP is essentially UDP traffic, so check your firewall and VPN settings to make sure you're allow UDP traffic to flow. SIP by comparision is TCP based

if you can ping hosts on both sides, it would appear that NAT is working in both directions, but just to verify, you can call from site A to site B or from site B to site A and in either case the phones will ring but no audio? Is that correct?

Author Comment

ID: 20059995
I am not very familiar with ISA, but I suspect it might be where the problem lies. The phones on either end can call anyone, but not siteA to SiteB.
All Devices on either end of the VPN can communicate. Essentially all traffic is allowed ( incl udp packets).In fact I have a specific VOIP protocol defined - as UDP with port range of 1025-65000.
Has anyone implemented VOIP traffic thru ISA 2004 ?

Author Comment

ID: 20202876
Still need help with this one !! Any insight into getting ISA 2004 to pass SIP/RTP packets. Has anyone successfully setup VOIP traffic thru ISA.
thank you all for your help.

Accepted Solution

soshe earned 0 total points
ID: 20226084
I found the Solution after reading an obscure tech support article from the VOIP systems' manufacturer site. It essentially recommended Openning specific UDP ports and DISABLING the ISA H.323 built-in Filter.
That did it !

LVL 36

Expert Comment

ID: 20226140
Glad its working for you. I think most of us were on the assumption that you were using SIP and not H323 though.

You can post in the community support section and request this question be closed and a refund given.

Expert Comment

ID: 20255349
Closed, 250 points refunded.
Community Support Moderator

Expert Comment

ID: 20735844
Hi Sam.

Would be interesting to know what VoIP manufacturer you're using , and the obscure article's URL.

I've noted a similar issue with an IP Softphone user communicating from Internal LAN to external IP of a NEC phone system thru ISA 2004.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month13 days, 14 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question