Solved

VOIP One Way Audio, Call Manager Express 3.3

Posted on 2010-09-11
7
1,679 Views
Last Modified: 2012-05-10
Experts,

In my small voice network, I am currently experiencing the following problem:  Users at a remote location *IPSEC over GRE* cannot hear audio from analog sources at the central office.  With both the inbound FXO port, as well as Music-on-hold, and the Automated Attendant...  The remote site cannot hear any of those features / services.



IP-IP calls work fine though throughout the network.

After searching a while on this topic, I've come across these pages:

https://cisco-support.hosted.jivesoftware.com/docs/DOC-2653
http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a008009484b.shtml
http://www.voip-info.org/wiki/view/One-way+Audio

I've read through them all, and checked over my configuration of CME 3.3 - and can't see where I could be going wrong.  I've posted my Router config below, scrubbed for security.  Anything you guys see that could be causing the issue - if I could be pointed in the right direction, it would be greatly appreciated.






Here's a basic 5000' overview of the network

Central Office ---->  2621xm *IP gateway as well as telephony CME
Remote Office --->  2620xm IP gateway with GRE / IPSec tunnel back to Central

CME is only installed locally at the central office.  With the remote site, I'm simply passing option 150 back to the internal interface of the CME router.  Everything seems to work fine, since the phone works IP-IP, registers with CME, etc.

Also, the analog portion works perfect at the central office.  All FXO calls, automated attendant, music on hold, etc. work fine here localy.  It's only the remote site that can't hear anything on the analog side of the house.

Any help you guys could share would be awesome.
voice service voip

 allow-connections h323 to h323

 allow-connections h323 to sip

 allow-connections sip to h323

 allow-connections sip to sip

 redirect ip2ip

 sip

  bind control source-interface FastEthernet0/0

  bind media source-interface FastEthernet0/0

  registrar server expires max 600 min 60



application

  service CME_AA flash://its-CISCO.2.0.1.0.tcl

  param operator 1999

  paramspace english language en

  paramspace english index 0

  paramspace english location flash://

  paramspace english prefix en

  param aa-pilot 5999



tftp-server flash:P00307020200.bin alias P00307020200.bin

tftp-server flash:P00307020200.loads alias P00307020200.loads

tftp-server flash:P00307020200.sb2 alias P00307020200.sb2

tftp-server flash:P00307020200.sbn alias P00307020200.sbn

tftp-server flash:Analog1.raw alias Analog1.raw

tftp-server flash:Analog2.raw alias Analog2.raw

tftp-server flash:AreYouThere.raw alias AreYouThere.raw

tftp-server flash:AreYouThereF.raw alias AreYouThereF.raw

tftp-server flash:Bass.raw alias Bass.raw

tftp-server flash:CallBack.raw alias CallBack.raw

tftp-server flash:Chime.raw alias Chime.raw

tftp-server flash:Classic1.raw alias Classic1.raw

tftp-server flash:Classic2.raw alias Classic2.raw

tftp-server flash:ClockShop.raw alias ClockShop.raw

tftp-server flash:DistinctiveRingList.xml alias DistinctiveRingList.xml

tftp-server flash:Drums1.raw alias Drums1.raw

tftp-server flash:Drums2.raw alias Drums2.raw

tftp-server flash:FilmScore.raw alias FilmScore.raw

tftp-server flash:HarpSynth.raw alias HarpSynth.raw

tftp-server flash:Jamaica.raw alias Jamaica.raw

tftp-server flash:KotoEffect.raw alias KotoEffect.raw

tftp-server flash:MusicBox.raw alias MusicBox.raw

tftp-server flash:Piano1.raw alias Piano1.raw

tftp-server flash:Piano2.raw alias Piano2.raw

tftp-server flash:Pop.raw alias Pop.raw

tftp-server flash:Pulse1.raw alias Pulse1.raw

tftp-server flash:Ring1.raw alias Ring1.raw

tftp-server flash:Ring2.raw alias Ring2.raw

tftp-server flash:Ring3.raw alias Ring3.raw

tftp-server flash:Ring4.raw alias Ring4.raw

tftp-server flash:Ring5.raw alias Ring5.raw

tftp-server flash:Ring6.raw alias Ring6.raw

tftp-server flash:Ring7.raw alias Ring7.raw

tftp-server flash:RingList.xml alias RingList.xml

tftp-server flash:Sax1.raw alias Sax1.raw

tftp-server flash:Sax2.raw alias Sax2.raw

tftp-server flash:Vibe.raw alias Vibe.raw





voice-port 1/1/0

 supervisory disconnect dualtone mid-call

 pre-dial-delay 0

 cptone JP

 timeouts call-disconnect 1

 timeouts ringing 45

 timeouts wait-release 2

 connection plar 5999



Gdial-peer voice 1 voip

 destination-pattern 1...

 session target ipv4:10.0.0.1



dial-peer voice 2 voip

 destination-pattern 2...

 session target ipv4:10.0.208.1



dial-peer voice 99 pots

 destination-pattern .T

 port 1/1/0

 forward-digits all



dial-peer voice 5999 voip

 service cme_aa

 destination-pattern 5999

 session target ipv4:172.16.0.1

 incoming called-number 5999

 dtmf-relay h245-alphanumeric

 codec g711ulaw

 no vad



sip-ua







!

telephony-service

 load 7960-7940 P00307020200

 max-ephones 24

 max-dn 48

 ip source-address 10.0.0.1 port 2000

 service phone displayIdleTimeout 00:30

 service phone displayOnDuration 1:00

 timeouts interdigit 2

 system message *****

 url services http://phone-xml.berbee.com/menu.xml

 time-zone 44

 time-format 24

 create cnf-files version-stamp 7960 Aug 28 2010 23:43:17

 max-conferences 4 gain -6

 call-forward pattern ....

 moh music-on-hold.au

 web admin system name admin secret *****

 dn-webedit

 transfer-system full-consult

 transfer-pattern ....

 secondary-dialtone 99

 after-hours block pattern 1 1900....... 7-24

 after-hours block pattern 2 0990...... 7-24

 directory entry 2 ***** name *****

 directory entry 1 ***** name *****



ephone-template  1

 softkeys idle  Redial Newcall Pickup Cfwdall Dnd

 softkeys seized  Redial Endcall Cfwdall Pickup Gpickup

 softkeys alerting  Endcall Callback

 softkeys connected  Hold Confrn Flash Park Trnsfer



ephone-dn  1  dual-line

 call-waiting ring

 number 1009

 pickup-group 1

 label *****

 description *****

 name *****

 call-forward busy 1599

 call-forward noan 1599 timeout 45





ephone-dn  2  dual-line

 call-waiting ring

 number 1001

 pickup-group 1

 label *****

 description *****

 name *****

 call-forward busy 1599

 call-forward noan 1599 timeout 45





ephone-dn  3  dual-line

 call-waiting ring

 number 2001

 pickup-group 2

 label *****

 description *****

 name *****

 call-forward busy 1599

 call-forward noan 1599 timeout 45





ephone-dn  4  dual-line

 call-waiting ring

 number 1002

 pickup-group 1

 label *****

 description *****

 name *****

 call-forward busy 1599

 call-forward noan 1599 timeout 45





ephone-dn  5  dual-line

 call-waiting ring

 number 2002

 pickup-group 2

 label *****

 description *****

 name *****

 call-forward busy 1599

 call-forward noan 1599 timeout 45





ephone-dn  9

 number 9999

 paging ip 239.1.1.100 port 2000



ephone-dn  10

 number 1999





ephone-dn  11

 number 2999





ephone-dn  40

 number 5001

 park-slot timeout 90 limit 3





ephone-dn  41

 number 5002

 park-slot timeout 90 limit 3





ephone-dn  42

 number 5003

 park-slot timeout 90 limit 3





ephone-dn  47

 number A2

 intercom A1 barge-in no-mute label "*****"





ephone-dn  48

 number A1

 intercom A2 barge-in no-mute label "*****"



ephone  1

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o1,10 6:47







ephone  2

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o2,10 6:48







ephone  3

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o3,11

Open in new window

0
Comment
Question by:usslindstrom
  • 5
  • 2
7 Comments
 
LVL 2

Expert Comment

by:BarnyRitchley
ID: 33676775
how are the sites connected?

You will need a site-to-site (L2L) vpn between the two sites to avoid one way audio issues.

Also, depending on the full configuration, you may need to do some policy based routing, and/ or assign the cme to a loopback interface so that the audio generated by the router is passed down the VPN.

Could you post passwordless configs for the routers at both sites?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33678623
Thank you very much for the assistance.

If you have a moment, can you scrub through my configs?  I've posted both the central (first) and remote (second) below.  Both have been screened for passwords and IPs.

Thanks.
**********  CENTRAL ROUTER **********





!

! Last configuration change at 21:59:10 JST Mon Sep 13 2010 by *****

! NVRAM config last updated at 22:00:01 JST Mon Sep 13 2010 by *****

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****

!

boot-start-marker

boot system flash:c2600-advipservicesk9-mz.124-25b.bin

boot-end-marker

!

enable secret 5 *****

!

aaa new-model

!

!

aaa group server radius *****

 server 10.0.226.251 auth-port 1645 acct-port 1646

 server 10.0.226.252 auth-port 1645 acct-port 1646

!

aaa group server radius *****

 server 10.0.2.251 auth-port 1645 acct-port 1646

 server 10.0.2.252 auth-port 1645 acct-port 1646

!

aaa group server radius *****

 server 10.0.12.251 auth-port 1645 acct-port 1646

 server 10.0.12.252 auth-port 1645 acct-port 1646

!

aaa authentication login *****_Access group ***** local

aaa authorization network default if-authenticated 

!

aaa session-id common

clock timezone *****

ip cef

!

!

!

!

ip domain name *****.com

ip name-server *****

ip name-server *****

ip multicast-routing 

ip inspect max-incomplete low 500

ip inspect max-incomplete high 700

ip inspect one-minute low 400

ip inspect one-minute high 400

ip inspect udp idle-time 120

ip inspect dns-timeout 3

ip inspect tcp idle-time 360

ip inspect tcp synwait-time 15

ip inspect name *****_FW tcp

ip inspect name *****_FW udp

ip inspect name *****_FW icmp

ip inspect name *****_FW ftp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

voice service voip 

 allow-connections h323 to h323

 allow-connections h323 to sip

 allow-connections sip to h323

 allow-connections sip to sip

 redirect ip2ip

 sip

  bind control source-interface FastEthernet0/0

  bind media source-interface FastEthernet0/0

  registrar server expires max 600 min 60

!

!

!

!

!

!

!

!

!

!

!

!

!

!

application

  service CME_AA flash://its-CISCO.2.0.1.0.tcl

  param operator 1999

  paramspace english language en

  paramspace english index 0

  paramspace english location flash://

  paramspace english prefix en

  param aa-pilot 5999

  !

!

username ***** privilege 15 secret *****

username ***** privilege 15 secret *****

archive

 log config

  hidekeys

!

!

!

class-map match-any P2P

 match protocol edonkey

 match protocol gnutella

 match protocol kazaa2

 match protocol winmx

class-map match-all VoiceOverIPSignaling

 match ip dscp af31 

class-map match-all VoiceOverIP

 match ip dscp ef 

 match protocol sip

 match protocol skinny

!

!

policy-map VoiceOverIPPolicy

 class VoiceOverIP

  priority percent 10

 class VoiceOverIPSignaling

  bandwidth percent 2

 class class-default

  fair-queue

policy-map Drop_P2P

 class P2P

   drop

!

! 

!

crypto isakmp policy 1

 encr aes 256

 hash md5

 authentication pre-share

 group 2

crypto isakmp key ***** address *****

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set ESP-AES esp-aes 256 

!

crypto map *****_VPNMap 1 ipsec-isakmp 

 description ***** VPN --> ***** VPN

 set peer *****

 set security-association lifetime seconds 86400

 set transform-set ESP-AES 

 set pfs group2

 match address *****_VPNTraffic

!

!

!

!

interface Loopback1

 ip address 172.16.0.1 255.255.255.255

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 ip ospf 1 area 0

!

interface Tunnel1

 ip address 172.16.0.209 255.255.255.252

 ip pim sparse-dense-mode

 ip nat inside

 ip virtual-reassembly

 ip ospf authentication message-digest

 ip ospf authentication-key *****

 ip ospf mtu-ignore

 ip ospf 1 area 0

 keepalive 5 3

 tunnel source Dialer1

 tunnel destination *****

 tunnel mode ipip

 crypto map *****_VPNMap

!

interface FastEthernet0/0

 description ***** Fa0/0 --> ***** Fa0/3 (10.0.0.0/23)

 ip address 10.0.0.1 255.255.254.0

 ip nbar protocol-discovery

 ip pim dense-mode

 ip nat inside

 ip virtual-reassembly

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 ip ospf 1 area 0

 speed 100

 full-duplex

 service-policy input Drop_P2P

!

interface FastEthernet0/1

 description ***** Fa0/1 --> *****

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip virtual-reassembly

 no ip mroute-cache

 speed 100

 full-duplex

 pppoe enable group global

 pppoe-client dial-pool-number 1

!

interface Dialer1

 description ***** Dialer1 --> *****

 mtu 1424

 bandwidth 100000

 ip address negotiated

 no ip unreachables

 ip nbar protocol-discovery

 ip nat outside

 ip inspect *****_FW out

 ip virtual-reassembly

 encapsulation ppp

 ip tcp adjust-mss 1396

 no ip mroute-cache

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname *****

 ppp chap password *****

 ppp pap sent-username ***** password *****

 ppp ipcp route default

 crypto map *****_VPNMap

 service-policy output VoiceOverIPPolicy

!

router ospf 1

 router-id 10.0.0.1

 log-adjacency-changes

 area 0 authentication message-digest

 summary-address 10.0.0.0 255.255.240.0

 summary-address 10.0.224.0 255.255.240.0

 redistribute static subnets

 default-information originate

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip dns server

!

ip http server

no ip http secure-server

ip http path flash:

ip pim accept-rp auto-rp

ip pim send-rp-announce Loopback1 scope 15

ip pim send-rp-discovery scope 15

ip nat inside source list *****_NAT interface Dialer1 overload

ip nat inside source static tcp 10.0.2.221 80 interface Dialer1 80

ip nat inside source static udp 10.0.2.221 20 interface Dialer1 20

ip nat inside source static tcp 10.0.2.221 20 interface Dialer1 20

ip nat inside source static tcp 10.0.2.221 21 interface Dialer1 21

ip nat inside source static udp 10.0.2.221 21 interface Dialer1 21

ip nat inside source static tcp 10.0.2.221 8081 interface Dialer1 8081

ip nat inside source static udp 10.0.2.221 8081 interface Dialer1 8081

ip nat inside source static tcp 10.0.14.5 5000 interface Dialer1 5000

ip nat inside source static tcp 10.0.210.221 8443 interface Dialer1 8443

ip nat inside source static tcp 10.0.210.221 8453 interface Dialer1 8453

ip nat inside source static tcp 10.0.210.221 8400 interface Dialer1 8400

ip nat inside source static tcp 10.0.210.221 8401 interface Dialer1 8401

ip nat inside source static tcp 10.0.210.221 8402 interface Dialer1 8402

ip nat inside source static tcp 10.0.210.221 8403 interface Dialer1 8403

ip nat inside source static tcp 10.0.210.221 8404 interface Dialer1 8404

ip nat inside source static tcp 10.0.210.221 8405 interface Dialer1 8405

ip nat inside source static tcp 10.0.210.221 8406 interface Dialer1 8406

ip nat inside source static tcp 10.0.210.221 8407 interface Dialer1 8407

ip nat inside source static tcp 10.0.210.221 8408 interface Dialer1 8408

ip nat inside source static tcp 10.0.210.221 8409 interface Dialer1 8409

ip nat inside source static tcp 10.0.210.221 8410 interface Dialer1 8410

ip nat inside source static tcp 10.0.210.221 5356 interface Dialer1 5356

ip nat inside source static tcp 10.0.2.221 443 interface Dialer1 443

ip nat inside source static tcp 10.0.0.10 443 interface Dialer1 4443

ip nat inside source static tcp 10.0.14.5 80 interface Dialer1 8080

ip nat inside source static tcp 10.0.210.221 8411 interface Dialer1 8411

ip nat inside source static tcp 10.0.210.221 8412 interface Dialer1 8412

ip nat inside source static tcp 10.0.210.221 8413 interface Dialer1 8413

ip nat inside source static tcp 10.0.210.221 8414 interface Dialer1 8414

ip nat inside source static tcp 10.0.210.221 8415 interface Dialer1 8415

ip nat inside source static tcp 10.0.210.221 8416 interface Dialer1 8416

ip nat inside source static tcp 10.0.210.221 8417 interface Dialer1 8417

ip nat inside source static tcp 10.0.210.221 8418 interface Dialer1 8418

ip nat inside source static tcp 10.0.210.221 8419 interface Dialer1 8419

ip nat inside source static tcp 10.0.210.221 8420 interface Dialer1 8420

ip nat inside source static tcp 10.0.2.241 110 interface Dialer1 110

ip nat inside source static tcp 10.0.0.6 25 interface Dialer1 25

!

ip access-list extended *****_NAT

 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255

 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

 permit ip 10.0.0.0 0.0.255.255 any

 permit ip 172.16.0.0 0.0.255.255 any

ip access-list extended *****_SplitTunnel

 permit ip 10.0.0.0 0.0.15.255 10.0.12.0 0.0.1.255

 permit ip 10.0.224.0 0.0.15.255 10.0.12.0 0.0.1.255

ip access-list extended *****_VPNTraffic

 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 permit gre host ***** host *****

ip access-list extended *****_UpdateAdjust

 deny   ip host 10.0.0.5 10.0.0.0 0.0.16.255

 deny   ip host 10.0.0.5 10.0.224.0 0.0.16.255

 permit ip host 10.0.0.5 any

!

snmp-server community public RO

!

!

tftp-server flash:P00307020200.bin alias P00307020200.bin

tftp-server flash:P00307020200.loads alias P00307020200.loads

tftp-server flash:P00307020200.sb2 alias P00307020200.sb2

tftp-server flash:P00307020200.sbn alias P00307020200.sbn

tftp-server flash:Analog1.raw alias Analog1.raw

tftp-server flash:Analog2.raw alias Analog2.raw

tftp-server flash:AreYouThere.raw alias AreYouThere.raw

tftp-server flash:AreYouThereF.raw alias AreYouThereF.raw

tftp-server flash:Bass.raw alias Bass.raw

tftp-server flash:CallBack.raw alias CallBack.raw

tftp-server flash:Chime.raw alias Chime.raw

tftp-server flash:Classic1.raw alias Classic1.raw

tftp-server flash:Classic2.raw alias Classic2.raw

tftp-server flash:ClockShop.raw alias ClockShop.raw

tftp-server flash:DistinctiveRingList.xml alias DistinctiveRingList.xml

tftp-server flash:Drums1.raw alias Drums1.raw

tftp-server flash:Drums2.raw alias Drums2.raw

tftp-server flash:FilmScore.raw alias FilmScore.raw

tftp-server flash:HarpSynth.raw alias HarpSynth.raw

tftp-server flash:Jamaica.raw alias Jamaica.raw

tftp-server flash:KotoEffect.raw alias KotoEffect.raw

tftp-server flash:MusicBox.raw alias MusicBox.raw

tftp-server flash:Piano1.raw alias Piano1.raw

tftp-server flash:Piano2.raw alias Piano2.raw

tftp-server flash:Pop.raw alias Pop.raw

tftp-server flash:Pulse1.raw alias Pulse1.raw

tftp-server flash:Ring1.raw alias Ring1.raw

tftp-server flash:Ring2.raw alias Ring2.raw

tftp-server flash:Ring3.raw alias Ring3.raw

tftp-server flash:Ring4.raw alias Ring4.raw

tftp-server flash:Ring5.raw alias Ring5.raw

tftp-server flash:Ring6.raw alias Ring6.raw

tftp-server flash:Ring7.raw alias Ring7.raw

tftp-server flash:RingList.xml alias RingList.xml

tftp-server flash:Sax1.raw alias Sax1.raw

tftp-server flash:Sax2.raw alias Sax2.raw

tftp-server flash:Vibe.raw alias Vibe.raw

radius-server host 10.0.12.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.12.252 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.228.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.228.252 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.2.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.2.252 auth-port 1645 acct-port 1646 key *****

!

control-plane

!

!

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

 supervisory disconnect dualtone mid-call

 pre-dial-delay 0

 cptone JP

 timeouts call-disconnect 1

 timeouts ringing 45

 timeouts wait-release 2

 connection plar 5999

!

voice-port 1/1/1

!

ccm-manager music-on-hold

!

mgcp bind control source-interface FastEthernet0/0

mgcp bind media source-interface FastEthernet0/0

mgcp behavior g729-variants static-pt

!

!

!

dial-peer voice 1 voip

 destination-pattern 1...

 session target ipv4:10.0.0.1

!

dial-peer voice 2 voip

 destination-pattern 2...

 session target ipv4:10.0.208.1

!

dial-peer voice 99 pots

 destination-pattern .T

 port 1/1/0

 forward-digits all

!

dial-peer voice 5999 voip

 service cme_aa

 destination-pattern 5999

 session target ipv4:172.16.0.1

 incoming called-number 5999

 dtmf-relay h245-alphanumeric

 codec g711ulaw

 no vad

!

dial-peer voice 5000 voip

 description ***** --> *****

 destination-pattern 5000

 session protocol sipv2

 session target ipv4:10.0.2.241

 session transport tcp

 dtmf-relay rtp-nte

 codec g711ulaw

 fax rate disable

 fax protocol pass-through g711ulaw

 no vad

!

dial-peer voice 9999 voip

 description ***** --> *****

 destination-pattern 9999

 session protocol sipv2

 session target ipv4:10.0.2.241

 session transport tcp

 dtmf-relay rtp-nte

 codec g711ulaw

 fax rate disable

 fax protocol pass-through g711ulaw

 no vad

!

sip-ua 

 mwi-server ipv4:10.0.2.241 expires 3600 port 5060 transport tcp unsolicited

!

!

!

!

telephony-service

 load 7960-7940 P00307020200

 max-ephones 24

 max-dn 48

 ip source-address 10.0.0.1 port 2000

 service phone displayIdleTimeout 00:30

 service phone displayOnDuration 1:00

 timeouts interdigit 2

 system message *****.com

 url services http://phone-xml.berbee.com/menu.xml

 time-zone 44

 time-format 24

 create cnf-files version-stamp 7960 Aug 28 2010 23:43:17

 voicemail 5000

 max-conferences 4 gain -6

 call-forward pattern ....

 moh music-on-hold.au

 web admin system name admin secret *****

 dn-webedit 

 transfer-system full-consult

 transfer-pattern ....

 secondary-dialtone 99

 after-hours block pattern 1 1900....... 7-24

 after-hours block pattern 2 0990...... 7-24

 directory entry 2 ***** name ***** Cell

 directory entry 1 ***** name ***** Cell

!

!

ephone-template  1

 softkeys idle  Redial Newcall Pickup Cfwdall Dnd

 softkeys seized  Redial Endcall Cfwdall Pickup Gpickup

 softkeys alerting  Endcall Callback

 softkeys connected  Hold Confrn Flash Park Trnsfer

!

!

ephone-dn  1  dual-line

 call-waiting ring

 number 1009

 pickup-group 1

 label Server Room

 description *****

 name Server Room

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  2  dual-line

 call-waiting ring

 number 1001

 pickup-group 1

 label ***** *****

 description *****

 name *****

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  3  dual-line

 call-waiting ring

 number 2001

 pickup-group 2

 label *****on *****

 description *****

 name *****on

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  4  dual-line

 call-waiting ring

 number 1002

 pickup-group 1

 label ***** *****

 description *****

 name *****

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  5  dual-line

 call-waiting ring

 number 2002

 pickup-group 2

 label ***** *****

 description *****

 name *****

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  9

 number 9999

 paging ip 239.1.1.100 port 2000

!

!

ephone-dn  10

 number 1999

 call-forward busy 5000

 call-forward noan 5000 timeout 18

!

!

ephone-dn  11

 number 2999

!

!

ephone-dn  40

 number 5001

 park-slot timeout 90 limit 3

!

!

ephone-dn  41

 number 5002

 park-slot timeout 90 limit 3

!

!

ephone-dn  42

 number 5003

 park-slot timeout 90 limit 3

!

!

ephone-dn  47

 number A2

 intercom A1 barge-in no-mute label "Apartment"

!

!

ephone-dn  48

 number A1

 intercom A2 barge-in no-mute label "Server Room"

!

!

ephone  1

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o1,10 6:47

!

!

!

ephone  2

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o2,10 6:48

!

!

!

ephone  3

 description *****

 ephone-template 1

 mac-address *****

 paging-dn 9

 keep-conference

 button  1o3,11

!

!

banner motd 

*************************************************************

************  Unauthorized Access is Prohibited  ************

*************************************************************



  Access to this system is for the use of authorized

  personel only.



  You are hereby advised that all actions performed are

  subject to monitoring and are being recorded.  In the

  event of any possible criminal activity, evidence will

  be turned over to proper Law Enforcement personnel,

  and offenders will be prosecuted!



  You have accessed:  $(hostname).$(domain)



*************************************************************

************  Unauthorized Access is Prohibited  ************

*************************************************************



!

line con 0

 privilege level 15

 logging synchronous

 login authentication *****_Access

line aux 0

 logging synchronous

 login authentication *****_Access

line vty 0 4

 logging synchronous

 login authentication *****_Access

line vty 5 181

 logging synchronous

 login authentication *****_Access

!

ntp clock-period 17180419

ntp master

ntp server *****

!

end







**********  REMOTE ROUTER **********





!

! Last configuration change at 06:01:42 MST_DST Fri Sep 10 2010 by *****

! NVRAM config last updated at 06:02:06 MST_DST Fri Sep 10 2010 by *****

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****

!

boot-start-marker

boot-end-marker

!

enable secret 5 *****

!

clock timezone *****

clock summer-time ***** recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

aaa new-model

!

!

aaa group server radius *****

 server 10.0.226.251 auth-port 1645 acct-port 1646

 server 10.0.226.252 auth-port 1645 acct-port 1646

!

aaa group server radius *****

 server 10.0.2.251 auth-port 1645 acct-port 1646

 server 10.0.2.252 auth-port 1645 acct-port 1646

!

aaa group server radius *****

 server 10.0.12.251 auth-port 1645 acct-port 1646

 server 10.0.12.252 auth-port 1645 acct-port 1646

!

aaa authentication login *****Access group ***** local

aaa authorization network *****NetAuth if-authenticated 

aaa session-id common

ip subnet-zero

ip cef

!

!

ip domain name *****.com

ip name-server *****

ip name-server *****

ip dhcp excluded-address 10.0.212.1 10.0.212.50

ip dhcp excluded-address 10.0.214.1 10.0.214.50

ip dhcp excluded-address 10.0.216.1 10.0.216.50

ip dhcp excluded-address 10.0.218.1 10.0.218.50

ip dhcp excluded-address 10.0.220.1 10.0.220.50

!

ip dhcp pool *****10.0.212.0

   network 10.0.212.0 255.255.254.0

   domain-name *****.com

   default-router 10.0.212.1 

   netbios-name-server 10.0.210.221 

   dns-server 10.0.210.221 

   option 42 ip 10.0.208.1 

   option 150 ip 10.0.0.1 

   lease 0 8

!

ip dhcp pool *****10.0.214.0

   network 10.0.214.0 255.255.254.0

   domain-name *****.com

   default-router 10.0.214.1 

   netbios-name-server 10.0.210.221 

   dns-server 10.0.210.221 

   option 42 ip 10.0.208.1 

   option 150 ip 10.0.0.1 

   lease 0 8

!

ip dhcp pool *****10.0.216.0

   network 10.0.216.0 255.255.254.0

   domain-name *****.com

   default-router 10.0.216.1 

   netbios-name-server 10.0.210.221 

   dns-server 10.0.210.221 

   option 42 ip 10.0.208.1 

   option 150 ip 10.0.0.1 

   lease 0 8

!

ip dhcp pool *****10.0.218.0

   network 10.0.218.0 255.255.254.0

   domain-name *****.com

   default-router 10.0.218.1 

   netbios-name-server 10.0.210.221 

   dns-server 10.0.210.221 

   option 42 ip 10.0.208.1 

   option 150 ip 10.0.0.1 

   lease 0 8

!

ip dhcp pool *****10.0.220.0

   network 10.0.220.0 255.255.254.0

   domain-name *****.com

   default-router 10.0.220.1 

   netbios-name-server 10.0.210.221 

   dns-server 10.0.210.221 

   option 42 ip 10.0.208.1 

   option 150 ip 10.0.0.1 

   lease 0 8

!

ip multicast-routing 

ip inspect max-incomplete low 500

ip inspect max-incomplete high 700

ip inspect one-minute high 400

ip inspect udp idle-time 120

ip inspect dns-timeout 3

ip inspect tcp idle-time 360

ip inspect tcp synwait-time 15

ip inspect name *****_FW tcp

ip inspect name *****_FW udp

ip inspect name *****_FW icmp

ip inspect name *****_FW ftp

ip audit po max-events 100

!

!

!

!

!

!

!

!

!

!

!

!

username ***** privilege 15 secret *****

username ***** privilege 15 secret *****

username ***** privilege 15 secret *****

!

!

class-map match-any P2P

  match protocol gnutella

  match protocol kazaa2

class-map match-all VoiceOverIPSignaling

  match ip dscp af31 

class-map match-all VoiceOverIP

  match ip dscp ef 

!

!

policy-map VoiceOverIPPolicy

  class VoiceOverIP

   priority percent 10

  class VoiceOverIPSignaling

   bandwidth percent 2

  class class-default

   fair-queue

policy-map Drop_P2P

  class P2P

   drop

!

! 

!

crypto isakmp policy 1

 encr aes 256

 hash md5

 authentication pre-share

 group 2

crypto isakmp key ***** address *****

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set ESP-AES esp-aes 256 

!

crypto map *****VPNMap 1 ipsec-isakmp 

 description ***** VPN --> ***** VPN

 set peer *****

 set security-association lifetime seconds 86400

 set transform-set ESP-AES 

 set pfs group2

 match address *****VPNTraffic

!

!

!

!

interface Tunnel1

 ip address 172.16.0.210 255.255.255.252

 ip nat inside

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf authentication-key *****

 ip ospf mtu-ignore

 keepalive 5 3

 tunnel source FastEthernet1/0

 tunnel destination *****

 tunnel mode ipip

 crypto map *****VPNMap

!

interface FastEthernet0/0

 description ***** Fa0/0 --> L2 Access (10.0.208.0/23)

 no ip address

 speed 100

 full-duplex

!

interface FastEthernet0/0.208

 description ***** Fa0/0 --> L2 Access (10.0.208.0/23)

 encapsulation dot1Q 208

 ip address 10.0.208.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.210

 description ***** Fa0/0 --> L2 Access (10.0.210.0/23)

 encapsulation dot1Q 210

 ip address 10.0.210.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.212

 description ***** Fa0/0 --> L2 Access (10.0.212.0/23)

 encapsulation dot1Q 212

 ip address 10.0.212.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.214

 description ***** Fa0/0 --> L2 Access (10.0.214.0/23)

 encapsulation dot1Q 214

 ip address 10.0.214.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.216

 description ***** Fa0/0 --> L2 Access (10.0.216.0/23)

 encapsulation dot1Q 216

 ip address 10.0.216.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.218

 description ***** Fa0/0 --> L2 Access (10.0.218.0/23)

 encapsulation dot1Q 218

 ip address 10.0.218.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.220

 description ***** Fa0/0 --> L2 Access (10.0.220.0/23)

 encapsulation dot1Q 220

 ip address 10.0.220.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet0/0.222

 description ***** Fa0/0 --> L2 Access (10.0.222.0/23)

 encapsulation dot1Q 222

 ip address 10.0.222.1 255.255.254.0

 ip nat inside

 ip nbar protocol-discovery

 ip pim sparse-dense-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 *****

 service-policy input Drop_P2P

!

interface FastEthernet1/0

 bandwidth 12000

 bandwidth inherit

 ip address ***** *****

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect *****_FW out

 no ip mroute-cache

 duplex auto

 speed auto

 crypto map *****VPNMap

 service-policy output VoiceOverIPPolicy

!

router ospf 1

 router-id 10.0.208.1

 log-adjacency-changes

 area 0 authentication message-digest

 summary-address 10.0.208.0 255.255.240.0

 redistribute static subnets

 network 10.0.208.0 0.0.15.255 area 10.0.208.0

 network 172.16.0.210 0.0.0.0 area 0

 default-information originate

!

ip nat inside source list *****NAT interface FastEthernet1/0 overload

ip nat inside source static tcp 10.0.208.10 443 interface FastEthernet1/0 443

ip nat inside source static tcp 10.0.210.221 5356 interface FastEthernet1/0 5356

ip nat inside source static tcp 10.0.210.221 8410 interface FastEthernet1/0 8410

ip nat inside source static tcp 10.0.210.221 8409 interface FastEthernet1/0 8409

ip nat inside source static tcp 10.0.210.221 8408 interface FastEthernet1/0 8408

ip nat inside source static tcp 10.0.210.221 8407 interface FastEthernet1/0 8407

ip nat inside source static tcp 10.0.210.221 8406 interface FastEthernet1/0 8406

ip nat inside source static tcp 10.0.210.221 8405 interface FastEthernet1/0 8405

ip nat inside source static tcp 10.0.210.221 8404 interface FastEthernet1/0 8404

ip nat inside source static tcp 10.0.210.221 8403 interface FastEthernet1/0 8403

ip nat inside source static tcp 10.0.210.221 8402 interface FastEthernet1/0 8402

ip nat inside source static tcp 10.0.210.221 8401 interface FastEthernet1/0 8401

ip nat inside source static tcp 10.0.210.221 8400 interface FastEthernet1/0 8400

ip nat inside source static tcp 10.0.210.221 8453 interface FastEthernet1/0 8453

ip nat inside source static tcp 10.0.210.221 8443 interface FastEthernet1/0 8443

ip nat inside source static tcp 10.0.210.221 8411 interface FastEthernet1/0 8411

ip nat inside source static tcp 10.0.210.221 8412 interface FastEthernet1/0 8412

ip nat inside source static tcp 10.0.210.221 8413 interface FastEthernet1/0 8413

ip nat inside source static tcp 10.0.210.221 8414 interface FastEthernet1/0 8414

ip nat inside source static tcp 10.0.210.221 8415 interface FastEthernet1/0 8415

ip nat inside source static tcp 10.0.210.221 8416 interface FastEthernet1/0 8416

ip nat inside source static tcp 10.0.210.221 8417 interface FastEthernet1/0 8417

ip nat inside source static tcp 10.0.210.221 8418 interface FastEthernet1/0 8418

ip nat inside source static tcp 10.0.210.221 8419 interface FastEthernet1/0 8419

ip nat inside source static tcp 10.0.210.221 8420 interface FastEthernet1/0 8420

ip nat inside source static tcp 10.0.210.221 80 interface FastEthernet1/0 80

ip nat inside source static tcp 10.0.210.221 25 interface FastEthernet1/0 25

ip nat inside source static tcp 10.0.210.221 110 interface FastEthernet1/0 110

ip nat inside source static tcp 10.0.210.221 8080 interface FastEthernet1/0 8080

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 *****

!

ip dns server

!

!

ip access-list extended *****NAT

 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255

 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

 permit ip 10.0.0.0 0.0.255.255 any

 permit ip 172.16.0.0 0.0.255.255 any

ip access-list extended *****VPNTraffic

 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

 permit gre host ***** host *****

!

snmp-server community ***** RO

radius-server host 10.0.12.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.12.252 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.228.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.228.252 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.2.251 auth-port 1645 acct-port 1646 key *****

radius-server host 10.0.2.252 auth-port 1645 acct-port 1646 key *****

!

!

!

!

banner motd 

*************************************************************

************  Unauthorized Access is Prohibited  ************

*************************************************************



  Access to this system is for the use of authorized

  personel only.



  You are hereby advised that all actions performed are

  subject to monitoring and are being recorded.  In the

  event of any possible criminal activity, evidence will

  be turned over to proper Law Enforcement personnel,

  and offenders will be prosecuted!



  You have accessed:  $(hostname).$(domain)



*************************************************************

************  Unauthorized Access is Prohibited  ************

*************************************************************



!

line con 0

 privilege level 15

 logging synchronous

 login authentication *****Access

line aux 0

 logging synchronous

 login authentication *****Access

line vty 0 4

 logging synchronous

 login authentication *****Access

line vty 5 15

 logging synchronous

 login authentication *****Access

!

ntp clock-period 17180710

ntp master

ntp server 10.0.0.1

!

end

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33678630
All traffic between the two sites does in fact go through the tunnel as expected, Tunnel 1 on both sides.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Accepted Solution

by:
BarnyRitchley earned 500 total points
ID: 33680024
i think this has something to do with the router sending the CME generated RTP down the VPN tunnel.

looking at your config, i notice your are using GRE tunneling with IPSEC proteciton for the L2L vpns.  Is it mandatory you use this configuration?  I cant see any routing protocols being run, so think it may be good to simplify the configuration and run an ipsec l2l tunnel.

this will make it easier to debug.

Also, when you simulate the problem, do you notice the ACL counters increase showing traffic is being sent?

do you see the encaps increase when replicating the problem if you do a 'sh cry ipsec sa'?

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33680319
Thnx for the information.

Yes, as far as Routing Protocols.  I'm running OSPF - and the only way I could get that to work over the IPSec tunnel was to go GRE.  I need the OSPF, so going without a GRE tunnel isn't an option here.

For the matched access-list statements...

Oddly enough - now that you mentioned it, I'm not seeing any GRE matches - that's strange cause the tunnel definately is up/up and I can reach both sides, with OSPF running.

show ip access-lists

Extended IP access list *****_VPNTraffic
    10 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 (3384786 matches)
    20 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    30 permit gre host ***** host *****


I've attached the output of "show crypto ipsec sa" to the code block below.
interface: Tunnel1
    Crypto map tag: *****_VPNMap, local addr *****

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1653581, #pkts encrypt: 1653581, #pkts digest: 1653581
    #pkts decaps: 1724608, #pkts decrypt: 1724608, #pkts verify: 1724608
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 54, #recv errors 283

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0xA7F30F6B(2817724267)

     inbound esp sas:
      spi: 0xC07C638F(3229377423)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4274809/6654)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA7F30F6B(2817724267)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4161014/6645)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Dialer1
    Crypto map tag: *****_VPNMap, local addr *****

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1653719, #pkts encrypt: 1653719, #pkts digest: 1653719
    #pkts decaps: 1724754, #pkts decrypt: 1724754, #pkts verify: 1724754
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 54, #recv errors 283

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0xA7F30F6B(2817724267)

     inbound esp sas:
      spi: 0xC07C638F(3229377423)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4274756/6643)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA7F30F6B(2817724267)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4161014/6643)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: *****_VPNMap, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33680334
And a snapshot of the current routing table from the central office...

Everything does infact route over the Tunnel to get to the remote site.  Vice-Versa for the return trip.
Gateway of last resort is ***** to network 0.0.0.0



     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks

C       172.16.0.208/30 is directly connected, Tunnel1

O       172.16.0.44/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0

                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0

O       172.16.0.41/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0

                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0

O       172.16.0.42/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0

                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0

C       172.16.0.1/32 is directly connected, Loopback1

     *****/32 is subnetted, 1 subnets

C       ***** is directly connected, Dialer1

     10.0.0.0/23 is subnetted, 16 subnets

O       10.0.14.0 [110/2] via 10.0.0.22, 12:14:48, FastEthernet0/0

                  [110/2] via 10.0.0.21, 12:14:48, FastEthernet0/0

O       10.0.12.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                  [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

O       10.0.2.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                 [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

C       10.0.0.0 is directly connected, FastEthernet0/0

O       10.0.4.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                 [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

O IA    10.0.218.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.216.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.222.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.220.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.210.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.208.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.214.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.212.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1

O IA    10.0.226.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

O IA    10.0.224.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

O IA    10.0.228.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0

                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0

     *****/32 is subnetted, 1 subnets

C       ***** is directly connected, Dialer1

S*   0.0.0.0/0 [1/0] via *****

               is directly connected, Dialer1

Open in new window

0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 33707045
The problem was exactly that.  Very nice observation.

You keyed me into checking out my access list, and I started delving into checking out why the gre statement in the ACL wasn't getting triggered.

Changing the Tunnel Mode from IP over IP to "tunnel mode gre ip" solved everything with the RTP.

Thank you very much for the pointers.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now