Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VOIP One Way Audio, Call Manager Express 3.3

Posted on 2010-09-11
7
Medium Priority
?
1,813 Views
Last Modified: 2012-05-10
Experts,

In my small voice network, I am currently experiencing the following problem:  Users at a remote location *IPSEC over GRE* cannot hear audio from analog sources at the central office.  With both the inbound FXO port, as well as Music-on-hold, and the Automated Attendant...  The remote site cannot hear any of those features / services.



IP-IP calls work fine though throughout the network.

After searching a while on this topic, I've come across these pages:

https://cisco-support.hosted.jivesoftware.com/docs/DOC-2653
http://www.cisco.com/en/US/tech/tk652/tk698/technologies_tech_note09186a008009484b.shtml
http://www.voip-info.org/wiki/view/One-way+Audio

I've read through them all, and checked over my configuration of CME 3.3 - and can't see where I could be going wrong.  I've posted my Router config below, scrubbed for security.  Anything you guys see that could be causing the issue - if I could be pointed in the right direction, it would be greatly appreciated.






Here's a basic 5000' overview of the network

Central Office ---->  2621xm *IP gateway as well as telephony CME
Remote Office --->  2620xm IP gateway with GRE / IPSec tunnel back to Central

CME is only installed locally at the central office.  With the remote site, I'm simply passing option 150 back to the internal interface of the CME router.  Everything seems to work fine, since the phone works IP-IP, registers with CME, etc.

Also, the analog portion works perfect at the central office.  All FXO calls, automated attendant, music on hold, etc. work fine here localy.  It's only the remote site that can't hear anything on the analog side of the house.

Any help you guys could share would be awesome.
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 redirect ip2ip
 sip
  bind control source-interface FastEthernet0/0
  bind media source-interface FastEthernet0/0
  registrar server expires max 600 min 60

application
  service CME_AA flash://its-CISCO.2.0.1.0.tcl
  param operator 1999
  paramspace english language en
  paramspace english index 0
  paramspace english location flash://
  paramspace english prefix en
  param aa-pilot 5999

tftp-server flash:P00307020200.bin alias P00307020200.bin
tftp-server flash:P00307020200.loads alias P00307020200.loads
tftp-server flash:P00307020200.sb2 alias P00307020200.sb2
tftp-server flash:P00307020200.sbn alias P00307020200.sbn
tftp-server flash:Analog1.raw alias Analog1.raw
tftp-server flash:Analog2.raw alias Analog2.raw
tftp-server flash:AreYouThere.raw alias AreYouThere.raw
tftp-server flash:AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:Bass.raw alias Bass.raw
tftp-server flash:CallBack.raw alias CallBack.raw
tftp-server flash:Chime.raw alias Chime.raw
tftp-server flash:Classic1.raw alias Classic1.raw
tftp-server flash:Classic2.raw alias Classic2.raw
tftp-server flash:ClockShop.raw alias ClockShop.raw
tftp-server flash:DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:Drums1.raw alias Drums1.raw
tftp-server flash:Drums2.raw alias Drums2.raw
tftp-server flash:FilmScore.raw alias FilmScore.raw
tftp-server flash:HarpSynth.raw alias HarpSynth.raw
tftp-server flash:Jamaica.raw alias Jamaica.raw
tftp-server flash:KotoEffect.raw alias KotoEffect.raw
tftp-server flash:MusicBox.raw alias MusicBox.raw
tftp-server flash:Piano1.raw alias Piano1.raw
tftp-server flash:Piano2.raw alias Piano2.raw
tftp-server flash:Pop.raw alias Pop.raw
tftp-server flash:Pulse1.raw alias Pulse1.raw
tftp-server flash:Ring1.raw alias Ring1.raw
tftp-server flash:Ring2.raw alias Ring2.raw
tftp-server flash:Ring3.raw alias Ring3.raw
tftp-server flash:Ring4.raw alias Ring4.raw
tftp-server flash:Ring5.raw alias Ring5.raw
tftp-server flash:Ring6.raw alias Ring6.raw
tftp-server flash:Ring7.raw alias Ring7.raw
tftp-server flash:RingList.xml alias RingList.xml
tftp-server flash:Sax1.raw alias Sax1.raw
tftp-server flash:Sax2.raw alias Sax2.raw
tftp-server flash:Vibe.raw alias Vibe.raw


voice-port 1/1/0
 supervisory disconnect dualtone mid-call
 pre-dial-delay 0
 cptone JP
 timeouts call-disconnect 1
 timeouts ringing 45
 timeouts wait-release 2
 connection plar 5999

Gdial-peer voice 1 voip
 destination-pattern 1...
 session target ipv4:10.0.0.1

dial-peer voice 2 voip
 destination-pattern 2...
 session target ipv4:10.0.208.1

dial-peer voice 99 pots
 destination-pattern .T
 port 1/1/0
 forward-digits all

dial-peer voice 5999 voip
 service cme_aa
 destination-pattern 5999
 session target ipv4:172.16.0.1
 incoming called-number 5999
 dtmf-relay h245-alphanumeric
 codec g711ulaw
 no vad

sip-ua



!
telephony-service
 load 7960-7940 P00307020200
 max-ephones 24
 max-dn 48
 ip source-address 10.0.0.1 port 2000
 service phone displayIdleTimeout 00:30
 service phone displayOnDuration 1:00
 timeouts interdigit 2
 system message *****
 url services http://phone-xml.berbee.com/menu.xml
 time-zone 44
 time-format 24
 create cnf-files version-stamp 7960 Aug 28 2010 23:43:17
 max-conferences 4 gain -6
 call-forward pattern ....
 moh music-on-hold.au
 web admin system name admin secret *****
 dn-webedit
 transfer-system full-consult
 transfer-pattern ....
 secondary-dialtone 99
 after-hours block pattern 1 1900....... 7-24
 after-hours block pattern 2 0990...... 7-24
 directory entry 2 ***** name *****
 directory entry 1 ***** name *****

ephone-template  1
 softkeys idle  Redial Newcall Pickup Cfwdall Dnd
 softkeys seized  Redial Endcall Cfwdall Pickup Gpickup
 softkeys alerting  Endcall Callback
 softkeys connected  Hold Confrn Flash Park Trnsfer

ephone-dn  1  dual-line
 call-waiting ring
 number 1009
 pickup-group 1
 label *****
 description *****
 name *****
 call-forward busy 1599
 call-forward noan 1599 timeout 45


ephone-dn  2  dual-line
 call-waiting ring
 number 1001
 pickup-group 1
 label *****
 description *****
 name *****
 call-forward busy 1599
 call-forward noan 1599 timeout 45


ephone-dn  3  dual-line
 call-waiting ring
 number 2001
 pickup-group 2
 label *****
 description *****
 name *****
 call-forward busy 1599
 call-forward noan 1599 timeout 45


ephone-dn  4  dual-line
 call-waiting ring
 number 1002
 pickup-group 1
 label *****
 description *****
 name *****
 call-forward busy 1599
 call-forward noan 1599 timeout 45


ephone-dn  5  dual-line
 call-waiting ring
 number 2002
 pickup-group 2
 label *****
 description *****
 name *****
 call-forward busy 1599
 call-forward noan 1599 timeout 45


ephone-dn  9
 number 9999
 paging ip 239.1.1.100 port 2000

ephone-dn  10
 number 1999


ephone-dn  11
 number 2999


ephone-dn  40
 number 5001
 park-slot timeout 90 limit 3


ephone-dn  41
 number 5002
 park-slot timeout 90 limit 3


ephone-dn  42
 number 5003
 park-slot timeout 90 limit 3


ephone-dn  47
 number A2
 intercom A1 barge-in no-mute label "*****"


ephone-dn  48
 number A1
 intercom A2 barge-in no-mute label "*****"

ephone  1
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o1,10 6:47



ephone  2
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o2,10 6:48



ephone  3
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o3,11

Open in new window

0
Comment
Question by:usslindstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 2

Expert Comment

by:BarnyRitchley
ID: 33676775
how are the sites connected?

You will need a site-to-site (L2L) vpn between the two sites to avoid one way audio issues.

Also, depending on the full configuration, you may need to do some policy based routing, and/ or assign the cme to a loopback interface so that the audio generated by the router is passed down the VPN.

Could you post passwordless configs for the routers at both sites?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33678623
Thank you very much for the assistance.

If you have a moment, can you scrub through my configs?  I've posted both the central (first) and remote (second) below.  Both have been screened for passwords and IPs.

Thanks.
**********  CENTRAL ROUTER **********


!
! Last configuration change at 21:59:10 JST Mon Sep 13 2010 by *****
! NVRAM config last updated at 22:00:01 JST Mon Sep 13 2010 by *****
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot system flash:c2600-advipservicesk9-mz.124-25b.bin
boot-end-marker
!
enable secret 5 *****
!
aaa new-model
!
!
aaa group server radius *****
 server 10.0.226.251 auth-port 1645 acct-port 1646
 server 10.0.226.252 auth-port 1645 acct-port 1646
!
aaa group server radius *****
 server 10.0.2.251 auth-port 1645 acct-port 1646
 server 10.0.2.252 auth-port 1645 acct-port 1646
!
aaa group server radius *****
 server 10.0.12.251 auth-port 1645 acct-port 1646
 server 10.0.12.252 auth-port 1645 acct-port 1646
!
aaa authentication login *****_Access group ***** local
aaa authorization network default if-authenticated 
!
aaa session-id common
clock timezone *****
ip cef
!
!
!
!
ip domain name *****.com
ip name-server *****
ip name-server *****
ip multicast-routing 
ip inspect max-incomplete low 500
ip inspect max-incomplete high 700
ip inspect one-minute low 400
ip inspect one-minute high 400
ip inspect udp idle-time 120
ip inspect dns-timeout 3
ip inspect tcp idle-time 360
ip inspect tcp synwait-time 15
ip inspect name *****_FW tcp
ip inspect name *****_FW udp
ip inspect name *****_FW icmp
ip inspect name *****_FW ftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
voice service voip 
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 redirect ip2ip
 sip
  bind control source-interface FastEthernet0/0
  bind media source-interface FastEthernet0/0
  registrar server expires max 600 min 60
!
!
!
!
!
!
!
!
!
!
!
!
!
!
application
  service CME_AA flash://its-CISCO.2.0.1.0.tcl
  param operator 1999
  paramspace english language en
  paramspace english index 0
  paramspace english location flash://
  paramspace english prefix en
  param aa-pilot 5999
  !
!
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
archive
 log config
  hidekeys
!
!
!
class-map match-any P2P
 match protocol edonkey
 match protocol gnutella
 match protocol kazaa2
 match protocol winmx
class-map match-all VoiceOverIPSignaling
 match ip dscp af31 
class-map match-all VoiceOverIP
 match ip dscp ef 
 match protocol sip
 match protocol skinny
!
!
policy-map VoiceOverIPPolicy
 class VoiceOverIP
  priority percent 10
 class VoiceOverIPSignaling
  bandwidth percent 2
 class class-default
  fair-queue
policy-map Drop_P2P
 class P2P
   drop
!
! 
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES esp-aes 256 
!
crypto map *****_VPNMap 1 ipsec-isakmp 
 description ***** VPN --> ***** VPN
 set peer *****
 set security-association lifetime seconds 86400
 set transform-set ESP-AES 
 set pfs group2
 match address *****_VPNTraffic
!
!
!
!
interface Loopback1
 ip address 172.16.0.1 255.255.255.255
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf 1 area 0
!
interface Tunnel1
 ip address 172.16.0.209 255.255.255.252
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication message-digest
 ip ospf authentication-key *****
 ip ospf mtu-ignore
 ip ospf 1 area 0
 keepalive 5 3
 tunnel source Dialer1
 tunnel destination *****
 tunnel mode ipip
 crypto map *****_VPNMap
!
interface FastEthernet0/0
 description ***** Fa0/0 --> ***** Fa0/3 (10.0.0.0/23)
 ip address 10.0.0.1 255.255.254.0
 ip nbar protocol-discovery
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 ip ospf 1 area 0
 speed 100
 full-duplex
 service-policy input Drop_P2P
!
interface FastEthernet0/1
 description ***** Fa0/1 --> *****
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 no ip mroute-cache
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description ***** Dialer1 --> *****
 mtu 1424
 bandwidth 100000
 ip address negotiated
 no ip unreachables
 ip nbar protocol-discovery
 ip nat outside
 ip inspect *****_FW out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1396
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password *****
 ppp pap sent-username ***** password *****
 ppp ipcp route default
 crypto map *****_VPNMap
 service-policy output VoiceOverIPPolicy
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 area 0 authentication message-digest
 summary-address 10.0.0.0 255.255.240.0
 summary-address 10.0.224.0 255.255.240.0
 redistribute static subnets
 default-information originate
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip dns server
!
ip http server
no ip http secure-server
ip http path flash:
ip pim accept-rp auto-rp
ip pim send-rp-announce Loopback1 scope 15
ip pim send-rp-discovery scope 15
ip nat inside source list *****_NAT interface Dialer1 overload
ip nat inside source static tcp 10.0.2.221 80 interface Dialer1 80
ip nat inside source static udp 10.0.2.221 20 interface Dialer1 20
ip nat inside source static tcp 10.0.2.221 20 interface Dialer1 20
ip nat inside source static tcp 10.0.2.221 21 interface Dialer1 21
ip nat inside source static udp 10.0.2.221 21 interface Dialer1 21
ip nat inside source static tcp 10.0.2.221 8081 interface Dialer1 8081
ip nat inside source static udp 10.0.2.221 8081 interface Dialer1 8081
ip nat inside source static tcp 10.0.14.5 5000 interface Dialer1 5000
ip nat inside source static tcp 10.0.210.221 8443 interface Dialer1 8443
ip nat inside source static tcp 10.0.210.221 8453 interface Dialer1 8453
ip nat inside source static tcp 10.0.210.221 8400 interface Dialer1 8400
ip nat inside source static tcp 10.0.210.221 8401 interface Dialer1 8401
ip nat inside source static tcp 10.0.210.221 8402 interface Dialer1 8402
ip nat inside source static tcp 10.0.210.221 8403 interface Dialer1 8403
ip nat inside source static tcp 10.0.210.221 8404 interface Dialer1 8404
ip nat inside source static tcp 10.0.210.221 8405 interface Dialer1 8405
ip nat inside source static tcp 10.0.210.221 8406 interface Dialer1 8406
ip nat inside source static tcp 10.0.210.221 8407 interface Dialer1 8407
ip nat inside source static tcp 10.0.210.221 8408 interface Dialer1 8408
ip nat inside source static tcp 10.0.210.221 8409 interface Dialer1 8409
ip nat inside source static tcp 10.0.210.221 8410 interface Dialer1 8410
ip nat inside source static tcp 10.0.210.221 5356 interface Dialer1 5356
ip nat inside source static tcp 10.0.2.221 443 interface Dialer1 443
ip nat inside source static tcp 10.0.0.10 443 interface Dialer1 4443
ip nat inside source static tcp 10.0.14.5 80 interface Dialer1 8080
ip nat inside source static tcp 10.0.210.221 8411 interface Dialer1 8411
ip nat inside source static tcp 10.0.210.221 8412 interface Dialer1 8412
ip nat inside source static tcp 10.0.210.221 8413 interface Dialer1 8413
ip nat inside source static tcp 10.0.210.221 8414 interface Dialer1 8414
ip nat inside source static tcp 10.0.210.221 8415 interface Dialer1 8415
ip nat inside source static tcp 10.0.210.221 8416 interface Dialer1 8416
ip nat inside source static tcp 10.0.210.221 8417 interface Dialer1 8417
ip nat inside source static tcp 10.0.210.221 8418 interface Dialer1 8418
ip nat inside source static tcp 10.0.210.221 8419 interface Dialer1 8419
ip nat inside source static tcp 10.0.210.221 8420 interface Dialer1 8420
ip nat inside source static tcp 10.0.2.241 110 interface Dialer1 110
ip nat inside source static tcp 10.0.0.6 25 interface Dialer1 25
!
ip access-list extended *****_NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended *****_SplitTunnel
 permit ip 10.0.0.0 0.0.15.255 10.0.12.0 0.0.1.255
 permit ip 10.0.224.0 0.0.15.255 10.0.12.0 0.0.1.255
ip access-list extended *****_VPNTraffic
 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit gre host ***** host *****
ip access-list extended *****_UpdateAdjust
 deny   ip host 10.0.0.5 10.0.0.0 0.0.16.255
 deny   ip host 10.0.0.5 10.0.224.0 0.0.16.255
 permit ip host 10.0.0.5 any
!
snmp-server community public RO
!
!
tftp-server flash:P00307020200.bin alias P00307020200.bin
tftp-server flash:P00307020200.loads alias P00307020200.loads
tftp-server flash:P00307020200.sb2 alias P00307020200.sb2
tftp-server flash:P00307020200.sbn alias P00307020200.sbn
tftp-server flash:Analog1.raw alias Analog1.raw
tftp-server flash:Analog2.raw alias Analog2.raw
tftp-server flash:AreYouThere.raw alias AreYouThere.raw
tftp-server flash:AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:Bass.raw alias Bass.raw
tftp-server flash:CallBack.raw alias CallBack.raw
tftp-server flash:Chime.raw alias Chime.raw
tftp-server flash:Classic1.raw alias Classic1.raw
tftp-server flash:Classic2.raw alias Classic2.raw
tftp-server flash:ClockShop.raw alias ClockShop.raw
tftp-server flash:DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:Drums1.raw alias Drums1.raw
tftp-server flash:Drums2.raw alias Drums2.raw
tftp-server flash:FilmScore.raw alias FilmScore.raw
tftp-server flash:HarpSynth.raw alias HarpSynth.raw
tftp-server flash:Jamaica.raw alias Jamaica.raw
tftp-server flash:KotoEffect.raw alias KotoEffect.raw
tftp-server flash:MusicBox.raw alias MusicBox.raw
tftp-server flash:Piano1.raw alias Piano1.raw
tftp-server flash:Piano2.raw alias Piano2.raw
tftp-server flash:Pop.raw alias Pop.raw
tftp-server flash:Pulse1.raw alias Pulse1.raw
tftp-server flash:Ring1.raw alias Ring1.raw
tftp-server flash:Ring2.raw alias Ring2.raw
tftp-server flash:Ring3.raw alias Ring3.raw
tftp-server flash:Ring4.raw alias Ring4.raw
tftp-server flash:Ring5.raw alias Ring5.raw
tftp-server flash:Ring6.raw alias Ring6.raw
tftp-server flash:Ring7.raw alias Ring7.raw
tftp-server flash:RingList.xml alias RingList.xml
tftp-server flash:Sax1.raw alias Sax1.raw
tftp-server flash:Sax2.raw alias Sax2.raw
tftp-server flash:Vibe.raw alias Vibe.raw
radius-server host 10.0.12.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.12.252 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.228.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.228.252 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.2.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.2.252 auth-port 1645 acct-port 1646 key *****
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
 supervisory disconnect dualtone mid-call
 pre-dial-delay 0
 cptone JP
 timeouts call-disconnect 1
 timeouts ringing 45
 timeouts wait-release 2
 connection plar 5999
!
voice-port 1/1/1
!
ccm-manager music-on-hold
!
mgcp bind control source-interface FastEthernet0/0
mgcp bind media source-interface FastEthernet0/0
mgcp behavior g729-variants static-pt
!
!
!
dial-peer voice 1 voip
 destination-pattern 1...
 session target ipv4:10.0.0.1
!
dial-peer voice 2 voip
 destination-pattern 2...
 session target ipv4:10.0.208.1
!
dial-peer voice 99 pots
 destination-pattern .T
 port 1/1/0
 forward-digits all
!
dial-peer voice 5999 voip
 service cme_aa
 destination-pattern 5999
 session target ipv4:172.16.0.1
 incoming called-number 5999
 dtmf-relay h245-alphanumeric
 codec g711ulaw
 no vad
!
dial-peer voice 5000 voip
 description ***** --> *****
 destination-pattern 5000
 session protocol sipv2
 session target ipv4:10.0.2.241
 session transport tcp
 dtmf-relay rtp-nte
 codec g711ulaw
 fax rate disable
 fax protocol pass-through g711ulaw
 no vad
!
dial-peer voice 9999 voip
 description ***** --> *****
 destination-pattern 9999
 session protocol sipv2
 session target ipv4:10.0.2.241
 session transport tcp
 dtmf-relay rtp-nte
 codec g711ulaw
 fax rate disable
 fax protocol pass-through g711ulaw
 no vad
!
sip-ua 
 mwi-server ipv4:10.0.2.241 expires 3600 port 5060 transport tcp unsolicited
!
!
!
!
telephony-service
 load 7960-7940 P00307020200
 max-ephones 24
 max-dn 48
 ip source-address 10.0.0.1 port 2000
 service phone displayIdleTimeout 00:30
 service phone displayOnDuration 1:00
 timeouts interdigit 2
 system message *****.com
 url services http://phone-xml.berbee.com/menu.xml
 time-zone 44
 time-format 24
 create cnf-files version-stamp 7960 Aug 28 2010 23:43:17
 voicemail 5000
 max-conferences 4 gain -6
 call-forward pattern ....
 moh music-on-hold.au
 web admin system name admin secret *****
 dn-webedit 
 transfer-system full-consult
 transfer-pattern ....
 secondary-dialtone 99
 after-hours block pattern 1 1900....... 7-24
 after-hours block pattern 2 0990...... 7-24
 directory entry 2 ***** name ***** Cell
 directory entry 1 ***** name ***** Cell
!
!
ephone-template  1
 softkeys idle  Redial Newcall Pickup Cfwdall Dnd
 softkeys seized  Redial Endcall Cfwdall Pickup Gpickup
 softkeys alerting  Endcall Callback
 softkeys connected  Hold Confrn Flash Park Trnsfer
!
!
ephone-dn  1  dual-line
 call-waiting ring
 number 1009
 pickup-group 1
 label Server Room
 description *****
 name Server Room
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  2  dual-line
 call-waiting ring
 number 1001
 pickup-group 1
 label ***** *****
 description *****
 name *****
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  3  dual-line
 call-waiting ring
 number 2001
 pickup-group 2
 label *****on *****
 description *****
 name *****on
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  4  dual-line
 call-waiting ring
 number 1002
 pickup-group 1
 label ***** *****
 description *****
 name *****
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  5  dual-line
 call-waiting ring
 number 2002
 pickup-group 2
 label ***** *****
 description *****
 name *****
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  9
 number 9999
 paging ip 239.1.1.100 port 2000
!
!
ephone-dn  10
 number 1999
 call-forward busy 5000
 call-forward noan 5000 timeout 18
!
!
ephone-dn  11
 number 2999
!
!
ephone-dn  40
 number 5001
 park-slot timeout 90 limit 3
!
!
ephone-dn  41
 number 5002
 park-slot timeout 90 limit 3
!
!
ephone-dn  42
 number 5003
 park-slot timeout 90 limit 3
!
!
ephone-dn  47
 number A2
 intercom A1 barge-in no-mute label "Apartment"
!
!
ephone-dn  48
 number A1
 intercom A2 barge-in no-mute label "Server Room"
!
!
ephone  1
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o1,10 6:47
!
!
!
ephone  2
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o2,10 6:48
!
!
!
ephone  3
 description *****
 ephone-template 1
 mac-address *****
 paging-dn 9
 keep-conference
 button  1o3,11
!
!
banner motd 
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

  Access to this system is for the use of authorized
  personel only.

  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!

  You have accessed:  $(hostname).$(domain)

*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

!
line con 0
 privilege level 15
 logging synchronous
 login authentication *****_Access
line aux 0
 logging synchronous
 login authentication *****_Access
line vty 0 4
 logging synchronous
 login authentication *****_Access
line vty 5 181
 logging synchronous
 login authentication *****_Access
!
ntp clock-period 17180419
ntp master
ntp server *****
!
end



**********  REMOTE ROUTER **********


!
! Last configuration change at 06:01:42 MST_DST Fri Sep 10 2010 by *****
! NVRAM config last updated at 06:02:06 MST_DST Fri Sep 10 2010 by *****
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****
!
clock timezone *****
clock summer-time ***** recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
aaa new-model
!
!
aaa group server radius *****
 server 10.0.226.251 auth-port 1645 acct-port 1646
 server 10.0.226.252 auth-port 1645 acct-port 1646
!
aaa group server radius *****
 server 10.0.2.251 auth-port 1645 acct-port 1646
 server 10.0.2.252 auth-port 1645 acct-port 1646
!
aaa group server radius *****
 server 10.0.12.251 auth-port 1645 acct-port 1646
 server 10.0.12.252 auth-port 1645 acct-port 1646
!
aaa authentication login *****Access group ***** local
aaa authorization network *****NetAuth if-authenticated 
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name *****.com
ip name-server *****
ip name-server *****
ip dhcp excluded-address 10.0.212.1 10.0.212.50
ip dhcp excluded-address 10.0.214.1 10.0.214.50
ip dhcp excluded-address 10.0.216.1 10.0.216.50
ip dhcp excluded-address 10.0.218.1 10.0.218.50
ip dhcp excluded-address 10.0.220.1 10.0.220.50
!
ip dhcp pool *****10.0.212.0
   network 10.0.212.0 255.255.254.0
   domain-name *****.com
   default-router 10.0.212.1 
   netbios-name-server 10.0.210.221 
   dns-server 10.0.210.221 
   option 42 ip 10.0.208.1 
   option 150 ip 10.0.0.1 
   lease 0 8
!
ip dhcp pool *****10.0.214.0
   network 10.0.214.0 255.255.254.0
   domain-name *****.com
   default-router 10.0.214.1 
   netbios-name-server 10.0.210.221 
   dns-server 10.0.210.221 
   option 42 ip 10.0.208.1 
   option 150 ip 10.0.0.1 
   lease 0 8
!
ip dhcp pool *****10.0.216.0
   network 10.0.216.0 255.255.254.0
   domain-name *****.com
   default-router 10.0.216.1 
   netbios-name-server 10.0.210.221 
   dns-server 10.0.210.221 
   option 42 ip 10.0.208.1 
   option 150 ip 10.0.0.1 
   lease 0 8
!
ip dhcp pool *****10.0.218.0
   network 10.0.218.0 255.255.254.0
   domain-name *****.com
   default-router 10.0.218.1 
   netbios-name-server 10.0.210.221 
   dns-server 10.0.210.221 
   option 42 ip 10.0.208.1 
   option 150 ip 10.0.0.1 
   lease 0 8
!
ip dhcp pool *****10.0.220.0
   network 10.0.220.0 255.255.254.0
   domain-name *****.com
   default-router 10.0.220.1 
   netbios-name-server 10.0.210.221 
   dns-server 10.0.210.221 
   option 42 ip 10.0.208.1 
   option 150 ip 10.0.0.1 
   lease 0 8
!
ip multicast-routing 
ip inspect max-incomplete low 500
ip inspect max-incomplete high 700
ip inspect one-minute high 400
ip inspect udp idle-time 120
ip inspect dns-timeout 3
ip inspect tcp idle-time 360
ip inspect tcp synwait-time 15
ip inspect name *****_FW tcp
ip inspect name *****_FW udp
ip inspect name *****_FW icmp
ip inspect name *****_FW ftp
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
username ***** privilege 15 secret *****
!
!
class-map match-any P2P
  match protocol gnutella
  match protocol kazaa2
class-map match-all VoiceOverIPSignaling
  match ip dscp af31 
class-map match-all VoiceOverIP
  match ip dscp ef 
!
!
policy-map VoiceOverIPPolicy
  class VoiceOverIP
   priority percent 10
  class VoiceOverIPSignaling
   bandwidth percent 2
  class class-default
   fair-queue
policy-map Drop_P2P
  class P2P
   drop
!
! 
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES esp-aes 256 
!
crypto map *****VPNMap 1 ipsec-isakmp 
 description ***** VPN --> ***** VPN
 set peer *****
 set security-association lifetime seconds 86400
 set transform-set ESP-AES 
 set pfs group2
 match address *****VPNTraffic
!
!
!
!
interface Tunnel1
 ip address 172.16.0.210 255.255.255.252
 ip nat inside
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf authentication-key *****
 ip ospf mtu-ignore
 keepalive 5 3
 tunnel source FastEthernet1/0
 tunnel destination *****
 tunnel mode ipip
 crypto map *****VPNMap
!
interface FastEthernet0/0
 description ***** Fa0/0 --> L2 Access (10.0.208.0/23)
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.208
 description ***** Fa0/0 --> L2 Access (10.0.208.0/23)
 encapsulation dot1Q 208
 ip address 10.0.208.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.210
 description ***** Fa0/0 --> L2 Access (10.0.210.0/23)
 encapsulation dot1Q 210
 ip address 10.0.210.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.212
 description ***** Fa0/0 --> L2 Access (10.0.212.0/23)
 encapsulation dot1Q 212
 ip address 10.0.212.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.214
 description ***** Fa0/0 --> L2 Access (10.0.214.0/23)
 encapsulation dot1Q 214
 ip address 10.0.214.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.216
 description ***** Fa0/0 --> L2 Access (10.0.216.0/23)
 encapsulation dot1Q 216
 ip address 10.0.216.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.218
 description ***** Fa0/0 --> L2 Access (10.0.218.0/23)
 encapsulation dot1Q 218
 ip address 10.0.218.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.220
 description ***** Fa0/0 --> L2 Access (10.0.220.0/23)
 encapsulation dot1Q 220
 ip address 10.0.220.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet0/0.222
 description ***** Fa0/0 --> L2 Access (10.0.222.0/23)
 encapsulation dot1Q 222
 ip address 10.0.222.1 255.255.254.0
 ip nat inside
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 *****
 service-policy input Drop_P2P
!
interface FastEthernet1/0
 bandwidth 12000
 bandwidth inherit
 ip address ***** *****
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect *****_FW out
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map *****VPNMap
 service-policy output VoiceOverIPPolicy
!
router ospf 1
 router-id 10.0.208.1
 log-adjacency-changes
 area 0 authentication message-digest
 summary-address 10.0.208.0 255.255.240.0
 redistribute static subnets
 network 10.0.208.0 0.0.15.255 area 10.0.208.0
 network 172.16.0.210 0.0.0.0 area 0
 default-information originate
!
ip nat inside source list *****NAT interface FastEthernet1/0 overload
ip nat inside source static tcp 10.0.208.10 443 interface FastEthernet1/0 443
ip nat inside source static tcp 10.0.210.221 5356 interface FastEthernet1/0 5356
ip nat inside source static tcp 10.0.210.221 8410 interface FastEthernet1/0 8410
ip nat inside source static tcp 10.0.210.221 8409 interface FastEthernet1/0 8409
ip nat inside source static tcp 10.0.210.221 8408 interface FastEthernet1/0 8408
ip nat inside source static tcp 10.0.210.221 8407 interface FastEthernet1/0 8407
ip nat inside source static tcp 10.0.210.221 8406 interface FastEthernet1/0 8406
ip nat inside source static tcp 10.0.210.221 8405 interface FastEthernet1/0 8405
ip nat inside source static tcp 10.0.210.221 8404 interface FastEthernet1/0 8404
ip nat inside source static tcp 10.0.210.221 8403 interface FastEthernet1/0 8403
ip nat inside source static tcp 10.0.210.221 8402 interface FastEthernet1/0 8402
ip nat inside source static tcp 10.0.210.221 8401 interface FastEthernet1/0 8401
ip nat inside source static tcp 10.0.210.221 8400 interface FastEthernet1/0 8400
ip nat inside source static tcp 10.0.210.221 8453 interface FastEthernet1/0 8453
ip nat inside source static tcp 10.0.210.221 8443 interface FastEthernet1/0 8443
ip nat inside source static tcp 10.0.210.221 8411 interface FastEthernet1/0 8411
ip nat inside source static tcp 10.0.210.221 8412 interface FastEthernet1/0 8412
ip nat inside source static tcp 10.0.210.221 8413 interface FastEthernet1/0 8413
ip nat inside source static tcp 10.0.210.221 8414 interface FastEthernet1/0 8414
ip nat inside source static tcp 10.0.210.221 8415 interface FastEthernet1/0 8415
ip nat inside source static tcp 10.0.210.221 8416 interface FastEthernet1/0 8416
ip nat inside source static tcp 10.0.210.221 8417 interface FastEthernet1/0 8417
ip nat inside source static tcp 10.0.210.221 8418 interface FastEthernet1/0 8418
ip nat inside source static tcp 10.0.210.221 8419 interface FastEthernet1/0 8419
ip nat inside source static tcp 10.0.210.221 8420 interface FastEthernet1/0 8420
ip nat inside source static tcp 10.0.210.221 80 interface FastEthernet1/0 80
ip nat inside source static tcp 10.0.210.221 25 interface FastEthernet1/0 25
ip nat inside source static tcp 10.0.210.221 110 interface FastEthernet1/0 110
ip nat inside source static tcp 10.0.210.221 8080 interface FastEthernet1/0 8080
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 *****
!
ip dns server
!
!
ip access-list extended *****NAT
 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended *****VPNTraffic
 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
 permit gre host ***** host *****
!
snmp-server community ***** RO
radius-server host 10.0.12.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.12.252 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.228.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.228.252 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.2.251 auth-port 1645 acct-port 1646 key *****
radius-server host 10.0.2.252 auth-port 1645 acct-port 1646 key *****
!
!
!
!
banner motd 
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

  Access to this system is for the use of authorized
  personel only.

  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!

  You have accessed:  $(hostname).$(domain)

*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************

!
line con 0
 privilege level 15
 logging synchronous
 login authentication *****Access
line aux 0
 logging synchronous
 login authentication *****Access
line vty 0 4
 logging synchronous
 login authentication *****Access
line vty 5 15
 logging synchronous
 login authentication *****Access
!
ntp clock-period 17180710
ntp master
ntp server 10.0.0.1
!
end

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33678630
All traffic between the two sites does in fact go through the tunnel as expected, Tunnel 1 on both sides.
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 2

Accepted Solution

by:
BarnyRitchley earned 2000 total points
ID: 33680024
i think this has something to do with the router sending the CME generated RTP down the VPN tunnel.

looking at your config, i notice your are using GRE tunneling with IPSEC proteciton for the L2L vpns.  Is it mandatory you use this configuration?  I cant see any routing protocols being run, so think it may be good to simplify the configuration and run an ipsec l2l tunnel.

this will make it easier to debug.

Also, when you simulate the problem, do you notice the ACL counters increase showing traffic is being sent?

do you see the encaps increase when replicating the problem if you do a 'sh cry ipsec sa'?

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33680319
Thnx for the information.

Yes, as far as Routing Protocols.  I'm running OSPF - and the only way I could get that to work over the IPSec tunnel was to go GRE.  I need the OSPF, so going without a GRE tunnel isn't an option here.

For the matched access-list statements...

Oddly enough - now that you mentioned it, I'm not seeing any GRE matches - that's strange cause the tunnel definately is up/up and I can reach both sides, with OSPF running.

show ip access-lists

Extended IP access list *****_VPNTraffic
    10 permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255 (3384786 matches)
    20 permit icmp 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    30 permit gre host ***** host *****


I've attached the output of "show crypto ipsec sa" to the code block below.
interface: Tunnel1
    Crypto map tag: *****_VPNMap, local addr *****

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1653581, #pkts encrypt: 1653581, #pkts digest: 1653581
    #pkts decaps: 1724608, #pkts decrypt: 1724608, #pkts verify: 1724608
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 54, #recv errors 283

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0xA7F30F6B(2817724267)

     inbound esp sas:
      spi: 0xC07C638F(3229377423)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4274809/6654)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA7F30F6B(2817724267)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4161014/6645)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Dialer1
    Crypto map tag: *****_VPNMap, local addr *****

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1653719, #pkts encrypt: 1653719, #pkts digest: 1653719
    #pkts decaps: 1724754, #pkts decrypt: 1724754, #pkts verify: 1724754
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 54, #recv errors 283

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0xA7F30F6B(2817724267)

     inbound esp sas:
      spi: 0xC07C638F(3229377423)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4274756/6643)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA7F30F6B(2817724267)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: *****_VPNMap
        sa timing: remaining key lifetime (k/sec): (4161014/6643)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: *****, remote crypto endpt.: *****
     path mtu 1404, ip mtu 1404, ip mtu idb Tunnel1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: *****_VPNMap, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/1/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (*****/255.255.255.255/47/0)
   current_peer ***** port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: *****
     path mtu 1424, ip mtu 1424, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Open in new window

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 33680334
And a snapshot of the current routing table from the central office...

Everything does infact route over the Tunnel to get to the remote site.  Vice-Versa for the return trip.
Gateway of last resort is ***** to network 0.0.0.0

     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
C       172.16.0.208/30 is directly connected, Tunnel1
O       172.16.0.44/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0
                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0
O       172.16.0.41/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0
                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0
O       172.16.0.42/32 [110/3] via 10.0.0.22, 12:14:48, FastEthernet0/0
                       [110/3] via 10.0.0.21, 12:14:48, FastEthernet0/0
C       172.16.0.1/32 is directly connected, Loopback1
     *****/32 is subnetted, 1 subnets
C       ***** is directly connected, Dialer1
     10.0.0.0/23 is subnetted, 16 subnets
O       10.0.14.0 [110/2] via 10.0.0.22, 12:14:48, FastEthernet0/0
                  [110/2] via 10.0.0.21, 12:14:48, FastEthernet0/0
O       10.0.12.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                  [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
O       10.0.2.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                 [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
C       10.0.0.0 is directly connected, FastEthernet0/0
O       10.0.4.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                 [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
O IA    10.0.218.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.216.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.222.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.220.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.210.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.208.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.214.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.212.0 [110/11112] via 172.16.0.210, 12:14:49, Tunnel1
O IA    10.0.226.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
O IA    10.0.224.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
O IA    10.0.228.0 [110/2] via 10.0.0.22, 12:14:49, FastEthernet0/0
                   [110/2] via 10.0.0.21, 12:14:49, FastEthernet0/0
     *****/32 is subnetted, 1 subnets
C       ***** is directly connected, Dialer1
S*   0.0.0.0/0 [1/0] via *****
               is directly connected, Dialer1

Open in new window

0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 33707045
The problem was exactly that.  Very nice observation.

You keyed me into checking out my access list, and I started delving into checking out why the gre statement in the ACL wasn't getting triggered.

Changing the Tunnel Mode from IP over IP to "tunnel mode gre ip" solved everything with the RTP.

Thank you very much for the pointers.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question