VOIP over IPSEC tunnel - no voice after ringing
Hello All,
We have a VOIP environment, please see the attached image. We use Asterix 1.6 VOIP server running on Debian Linux, 2 pcs of Juniper SSG-5 routers with 6.3.0r5 firmware, and a Linksys VOIP phones. We have been installed and configured the Asterix server, configured trust-untrust policies on the SSG-5 routers, and set up the phones. All phones in SITE1 have been registered on the Asterix server located in SITE2 via IPSEC tunnel.
Our problem is very strange, i try to explain it:
1. When phone turns on, registers well, incoming and outgoing calls works (rings and voice).
2. After approx 5 minutes, incoming calls will be fail, because the phone rings, but no voice when picks up, and the IP phone displays still "Answering ..." and the caller phone shows "Calling ...". After we take down the IP phone, the caller shows still "Calling ...", until call expires because time-out.
3. If I call back the caller from the IP phone, the call works (rings and voice as well).
4. After the calling back the incoming calls work well, but after approx 5 minutes idle time still no voice of incoming calls, until I make a call from the IP phone to outside.
The phone has been registered continuously.
We checked the follows:
- turned off SIP feature in the ALG in the SSG-5;
- defined voice protocol group in SSG-5 (UDP traffic between port 10000:20000);
- created trust-to-untrust policy in each SSG-5 which allows ANY traffic between the IP phone and Asterix server in both side and vice-versa;
- turned off any iptables firewall in the Asterix Server (all packets accepted);
- logged traffic in SSG-5 by policy, and ensured no dropped packets.
Any idea or suggestions please?
thanks,
Tamas
ip-phone-topology.jpg
We have a VOIP environment, please see the attached image. We use Asterix 1.6 VOIP server running on Debian Linux, 2 pcs of Juniper SSG-5 routers with 6.3.0r5 firmware, and a Linksys VOIP phones. We have been installed and configured the Asterix server, configured trust-untrust policies on the SSG-5 routers, and set up the phones. All phones in SITE1 have been registered on the Asterix server located in SITE2 via IPSEC tunnel.
Our problem is very strange, i try to explain it:
1. When phone turns on, registers well, incoming and outgoing calls works (rings and voice).
2. After approx 5 minutes, incoming calls will be fail, because the phone rings, but no voice when picks up, and the IP phone displays still "Answering ..." and the caller phone shows "Calling ...". After we take down the IP phone, the caller shows still "Calling ...", until call expires because time-out.
3. If I call back the caller from the IP phone, the call works (rings and voice as well).
4. After the calling back the incoming calls work well, but after approx 5 minutes idle time still no voice of incoming calls, until I make a call from the IP phone to outside.
The phone has been registered continuously.
We checked the follows:
- turned off SIP feature in the ALG in the SSG-5;
- defined voice protocol group in SSG-5 (UDP traffic between port 10000:20000);
- created trust-to-untrust policy in each SSG-5 which allows ANY traffic between the IP phone and Asterix server in both side and vice-versa;
- turned off any iptables firewall in the Asterix Server (all packets accepted);
- logged traffic in SSG-5 by policy, and ensured no dropped packets.
Any idea or suggestions please?
thanks,
Tamas
ip-phone-topology.jpg
ASKER
I tried but when I made the second call the problem still here! The IP phone displays answering and no voice communication up ... Please search through your sleeve some more tricks! :)
You're missing one important port related to VoIP. 5060 must also be allowed.
In your sip.conf entry for the phone,especially the one just connecting over the raw internet, make sure you have a nat=yes setting.
In your sip.conf entry for the phone,especially the one just connecting over the raw internet, make sure you have a nat=yes setting.
Yes SIP needs to be allowed...
Also there are two parts to every IP phone call. the C&C and the audio stream(s). when a call gets initiated the C&C is responsible for setting up a call, this is what gives you your ringing and the presentation on the phone and then it connects the audio streams in both directions.
If the hone rings then you have call set up working that means that the VOIP server can receive input from both sides and communicate with both sides. After the call set up finishes the VOIP server drops out and lets the endpoints communicate directly with each other. My guess is that your voice gateway cannot initiate traffic to your remote IP phone.
Go to your public gateway and try to ping your IP phone. if that doesn't work add a static route and try again.
hope this helps,
-t
Also there are two parts to every IP phone call. the C&C and the audio stream(s). when a call gets initiated the C&C is responsible for setting up a call, this is what gives you your ringing and the presentation on the phone and then it connects the audio streams in both directions.
If the hone rings then you have call set up working that means that the VOIP server can receive input from both sides and communicate with both sides. After the call set up finishes the VOIP server drops out and lets the endpoints communicate directly with each other. My guess is that your voice gateway cannot initiate traffic to your remote IP phone.
Go to your public gateway and try to ping your IP phone. if that doesn't work add a static route and try again.
hope this helps,
-t
ASKER
I think the 5060/tcp port thing is only a joke! :) Of course these ports open (now the asterix side iptalbles is all ACCEPT, only for testing time) and no service restricting in the ssg5 policies.
I try to add the nat=yes line in sip.conf I hope I put it in the right section:
[PAC6021]
type=friend
defaultuser=PAC6021
secret=*********
callerid=PAC <xxxxxxx>
host=dynamic
context=PAC-out
dtmfmode=auto
canreinvite=no
disallow=all
allow=ulaw
nat=yes
I check decoleur suggesion and I write back!
I try to add the nat=yes line in sip.conf I hope I put it in the right section:
[PAC6021]
type=friend
defaultuser=PAC6021
secret=*********
callerid=PAC <xxxxxxx>
host=dynamic
context=PAC-out
dtmfmode=auto
canreinvite=no
disallow=all
allow=ulaw
nat=yes
I check decoleur suggesion and I write back!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Asker provided a workaround useful for the PAQ.
Qlemo
Cleanup Volunteer
Qlemo
Cleanup Volunteer
Starting the auto-close procedure on behalf of the question asker.
_alias99
Community Support Moderator
_alias99
Community Support Moderator
Try this as a test. set up a continuous ping from the asterix server to the IP phone. wait five minutes and then try to make a call, if it works your have to do something on the VOIP server to aintain the route to the remote phone. This could be as simple as adding a static route to the IP phone network on the VOIP server using the SSG5-B as a gateway.
if this doesn't work I have more tricks up my sleeve.
let us know what you come up with.
-t