Solved

Problem with VoIP after upgrading to PIX OS 7.21

Posted on 2007-11-15
3
320 Views
Last Modified: 2010-04-12
Hi Guys,

I've a customer with 4 sites in the UK.  All sites are using PIX 515e for firewall and VPN router, and all were on 6.3.5.

Sites 1 2 and 3 had Voip Phones, Site 1 hosted the IP phone switch (Cisco CCM) and Sites 2 and 3 were remote.

We upgraded site 4 to PIX OS 7.21 no problem
We then upgraded Site 2 no problem
We then upgraded SIte 1 ..........problems

First of all the VPN to site 3 was intermittent and the phone (only 1) in site 3 would not work.
Secondly - all the phones in Site 2 continually reset and call reliability is now rubbish where before it was quite good.

I've implemented CIsco's prioritisation suggestions using an ACL and Class Map on both the Site 1 and Site 2 PIX, but the phones are still unreliable. The problems with the dodgy connection to site 3 were fixed by re-seating the new memory module - although we have subsequently replaced this 64mb sim with 2 32mb ones in order to rule out dodgy memory as the cause of bad VoIP performance.

I've tried everything I can think of, but no joy. Below are the configs for both PIXs - site 1 and site 2.


SITE 1
PIX Version 7.2(1)
!
hostname london
domain-name customer.local
enable password * encrypted
names
name Site1 Site1
name 10.4.0.0 Site2
name 10.6.0.0 Site3
name 10.7.0.0 Site4
name 10.2.1.0 Voice2
name 10.3.1.0 Voice3
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address eee.eee.eee.eee 255.255.255.192
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.5.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name customer.local
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list outside_cryptomap_40 extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
access-list VOIP-Priority-Out extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
pager lines 24
logging enable
logging console debugging
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.0.0.0 255.0.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 outside
asdm location Site2 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site3 255.255.0.0 outside
asdm location Voice3 255.255.255.0 inside
asdm location Voice2 255.255.255.0 outside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 Site1 255.255.0.0
static (inside,outside) 10.5.1.1 10.5.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 eee.eee.eee.eef
route inside Voice3 255.255.255.0 10.5.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer bbb.bbb.bbb.bbb
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer ccc.ccc.ccc.ccc
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ddd.ddd.ddd.ddd
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
 pre-shared-key *
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
 pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
 pre-shared-key *
telnet Site1 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
!
priority-queue outside
!
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list VOIP-Priority-Out
class-map Voice-IN
 match access-list VOIP-Priority-In
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect h323 h225
  inspect h323 ras
 class Voice-OUT
  priority
 class Voice-IN
  priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2551d9eff6ad15c4e6be0a3b71ff742a


SITE 2

PIX Version 7.2(1)
!
hostname farnborough
domain-name sbac.local
enable password * encrypted
names
name 10.5.0.0 Site1
name 10.7.0.0 Site4
name 10.6.0.0 Site3
name 10.3.1.0 Voice3
name 10.2.1.0 Voice2
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address bbb.bbb.bbb.bbb 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.4.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name sbac.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Site1255.255.0.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list outside_cryptomap_60 extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_80 extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.4.2.18 255.255.255.255 inside
asdm location Site1 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site1 255.255.0.0 inside
asdm location Site3 255.255.0.0 outside
asdm location 10.4.0.0 255.255.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 inside
asdm location Voice2 255.255.255.0 inside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 bbb.bbb.bbb.bbc 1
route inside Voice2 255.255.255.0 10.4.1.40 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Site1 255.255.0.0 inside
http 10.4.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer aaa.aaa.aaa.aaa
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ccc.ccc.ccc.ccc
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer ddd.ddd.ddd.ddd
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
 pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
 pre-shared-key *
tunnel-group ddd.ddd.ddd.ddd type ipsec-l2l
tunnel-group ddd.ddd.ddd.ddd ipsec-attributes
 pre-shared-key *
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
priority-queue outside
!
class-map Voice-In
 match access-list VOIP-Priority-In
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list VOIP-Priority-Out
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect h323 h225
  inspect h323 ras
 class Voice-In
  priority
 class Voice-OUT
  priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:118ac2188fdcfe0ae0145e77864ed055


Any pointers on how to improve reliability again or a reason why this has happened would be greatly appreciated.

BTW - Site 1 has 6Mbps line to Internet, Site 2 a 4Mbps line.

DS
0
Comment
Question by:prodriveit
3 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 20290984
My first question would be, why did you choose 7.21? Not sure which protocols you are using for voice but 7.2(1) does have some open caveats with SIP and H.323.   7.2(3) fixed many open bugs, however, without knowing more specifics about what features you run on your PIX its hard to say if 7.2(3) is a good fit.

You should always review serveral versions of code prior to implementation, checking open and resolved caveats in the release.

7.0(7) is pretty stable with few open caveats relative to the other releases.

hope this helps

harbor235 ;}
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20293941
I agree with harbor235 about the version. Try 7.2(3) or 7.0(7)
I see you have also setup QoS to give voice priority. This was not a feature available on the old 6.x versions. Try it without the QoS features enabled.
0
 
LVL 2

Author Comment

by:prodriveit
ID: 20296872
Thanks guys. I'd previously applied 7.21 to a customer who was using VoIP over l2l vpn and they had reported an improvement in their VoIP (which now seems completely bizaar) and so this is what I went on.

We've since downgraded to 6.3 and all is ok again - will definately test the phones thoroughly after upgrading to a different version of 7!

Regards,

DS
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now