Link to home
Start Free TrialLog in
Avatar of jplagens
jplagensFlag for United States of America

asked on

Can't call from CME to CME across VPN tunnel

I'm having trouble trying to get two Cisco CME routers to dial each other across an IPSEC vpn tunnel.

Topology is:


CME Router Site A-----SonicWall A ------ISP-----cloud-----ISP-----SonicWall B----CME Router Site B

Site A extensions are: 5800-5899
Site B extensions are: 5900-5999


The Sonicwalls are connected via a site-to-site vpn tunnel.  From a workstation behind each CME router I can ping the data and voice vlan interace of each respective side. It appears I have full connectivity.

When I try to dial across the vpn tunnel nothing happens and the phone eventually times out.


What needs to happen is Site B needs to be able to call Site A, and Site B also needs use TEHO (tail-end hop off) for 10 digit dialing through site A.


When I simulate a call using csim start xxxxxx I get:



SITE-B#csim start 5838
SITE-B#
012245: Jan  8 04:27:34.267: csim: called number = 5838, loop count = 1 ping count = 0

012246: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Calling Number=, Called Number=5838, Peer Info Type=DIALPEER_INFO_SPEECH
012247: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Match Rule=DP_MATCH_DEST; Called Number=5838
012248: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Result=Success(0) after DP_MATCH_DEST
012249: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:
   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0
012250: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/DPM/dpMatchPeers:
   Result=SUCCESS(0)
   List of Matched Outgoing Dial-peer(s):
     1: Dial-peer Tag=64
012251: Jan  8 04:27:34.267: csimSetupPeer peer type(2), destPat(5838), matched(2), target()
012252: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Destination=, Calling IE Present=FALSE, Mode=0,
   Outgoing Dial-peer=64, Params=0x8AC32594, Progress Indication=NULL(0)
012253: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccCheckClipClir:
   In: Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed)
012254: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccCheckClipClir:
   Out: Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed)
012255: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Destination Pattern=58.., Called Number=5838, Digit Strip=FALSE
012256: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
   Called Number=5838(TON=Unknown, NPI=Unknown),
   Redirect Number=, Display Info=
   Account Number=, Final Destination Flag=FALSE,
   Guid=8F0018B0-5882-11E2-8238-A5B229699913, Outgoing Dial-peer=64
012257: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/cc_api_display_ie_subfields:
   ccCallSetupRequest:
   cisco-username=
   ----- ccCallInfo IE subfields -----
   cisco-ani=
   cisco-anitype=0
   cisco-aniplan=0
   cisco-anipi=0
   cisco-anisi=0
   dest=5838
   cisco-desttype=0
   cisco-destplan=0
   cisco-rdie=FFFFFFFF
   cisco-rdn=
   cisco-rdntype=-1
   cisco-rdnplan=-1
   cisco-rdnpi=-1
   cisco-rdnsi=-1
   cisco-redirectreason=-1   fwd_final_type =0
   final_redirectNumber =
   hunt_group_timeout =0

012258: Jan  8 04:27:34.267: //-1/xxxxxxxxxxxx/CCAPI/ccIFCallSetupRequestPrivate:
   Interface=0x87422DA4, Interface Type=3, Destination=, Mode=0x0,
   Call Params(Calling Number=,(Calling Name=)(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
   Called Number=5838(TON=Unknown, NPI=Unknown), Calling Translated=FALSE,
   Subscriber Type Str=, FinalDestinationFlag=FALSE, Outgoing Dial-peer=64, Call Count On=FALSE,
   Source Trkgrp Route Label=, Target Trkgrp Route Label=, tg_label_flag=0, Application Call Id=)
012259: Jan  8 04:27:34.271: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012260: Jan  8 04:27:34.271: :cc_get_feature_vsa malloc success
012261: Jan  8 04:27:34.271: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012262: Jan  8 04:27:34.271:  cc_get_feature_vsa count is 3
012263: Jan  8 04:27:34.271: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012264: Jan  8 04:27:34.271: :FEATURE_VSA attributes are: feature_name:0,feature_time:2305469072,feature_id:234
012265: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/ccIFCallSetupRequestPrivate:
   SPI Call Setup Request Is Success; Interface Type=3, FlowMode=1
012266: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/ccCallSetContext:
   Context=0x896631DC
012267: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/cc_api_call_disconnected:
   Cause Value=47, Interface=0x87422DA4, Call Id=194
012268: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/cc_api_call_disconnected:
   Call Entry(Responsed=TRUE, Cause Value=47, Retry Count=0)
012269: Jan  8 04:27:34.271: csim_do_test: cid(194), ev(12), disp(0)
012270: Jan  8 04:27:34.271: csimTraceSct: cid(194),st(0),oldst(0)
012271: Jan  8 04:27:34.271: csim err csimDisconnected recvd DISC cid(194)
012272: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/ccCallDisconnect:
   Cause Value=47, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=47)
012273: Jan  8 04:27:34.271: //194/8F0018B08238/CCAPI/ccCallDisconnect:
   Cause Value=47, Call Entry(Responsed=TRUE, Cause Value=47)
012274: Jan  8 04:27:34.275: //194/8F0018B08238/CCAPI/cc_api_call_disconnect_done:
   Disposition=-11, Interface=0x87422DA4, Tag=0x0, Call Id=194,
   Call Entry(Disconnect Cause=47, Voice Class Cause Code=0, Retry Count=0)
012275: Jan  8 04:27:34.275: //-1/8F0018B08238/RXRULE/regxrule_stack_pop_callinfo_internal: numinfo=0x0
012276: Jan  8 04:27:34.275: //194/8F0018B08238/CCAPI/cc_api_call_disconnect_done:
   Call Disconnect Event Sent
012277: Jan  8 04:27:34.275: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:
   
012278: Jan  8 04:27:34.275: :cc_free_feature_vsa freeing 896AAA88
012279: Jan  8 04:27:34.275: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:
   
012280: Jan  8 04:27:34.275:  vsacount in free is 2
012281: Jan  8 04:27:34.275: csim_do_test: cid(194), ev(13), disp(-11)
012282: Jan  8 04:27:34.275: csimTraceSct: cid(194),st(2),oldst(0)
012283: Jan  8 04:27:34.775: csim: loop = 1, failed = 1  
012284: Jan  8 04:27:34.775: csim: call attempted = 1, setup failed = 1, tone failed = 0

012285: Jan  8 04:27:34.775: //-1/xxxxxxxxxxxx/CCAPI/ccAppShutdownMode:
   ccAppShutdownMode: remove it from the queue
SiteA.txt
SiteB.txt
Avatar of José Méndez
José Méndez

Why don't you through in a debug ccsip messages for us please? Along with the other debugs I mean.
Avatar of jplagens

ASKER

Here's some more output.  I have debug ccsip messages, debug voip ccapin inout, and debug voice translation on both sides.  When I call from Site B to Site A, Site A shows nothing in the debugs.  That means the call is not making it across the tunnel at all.  

Here's some output:

SITE-B#show debug
SCCP:
  Skinny Client Control Protocol events debugging is on
DIALPEER:
  debug voip dialpeer error call is ON (filter is OFF)
  debug voip dialpeer error software is ON
  debug voip dialpeer inout is ON (filter is OFF)
voip translation-rule
  voip translation debugging is on (Filter is OFF)

CCAPI:
  debug voip ccapi inout is ON (filter is OFF)
CCSIP SPI: SIP Call Message tracing is enabled  (filter is OFF)



SITE-B#ping 172.19.1.1 source 172.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms
SITE-B#ping 172.19.1.1 source 172.20.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/38/68 ms
SITE-B#ping 172.19.1.1                  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)



SITE-B#csim start 5838                  
SITE-B#
012369: Jan  8 05:07:59.883: csim: called number = 5838, loop count = 1 ping count = 0

012370: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Calling Number=, Called Number=5838, Peer Info Type=DIALPEER_INFO_SPEECH
012371: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Match Rule=DP_MATCH_DEST; Called Number=5838
012372: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
   Result=Success(0) after DP_MATCH_DEST
012373: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:
   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0
012374: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/DPM/dpMatchPeers:
   Result=SUCCESS(0)
   List of Matched Outgoing Dial-peer(s):
     1: Dial-peer Tag=64
012375: Jan  8 05:07:59.883: csimSetupPeer peer type(2), destPat(5838), matched(2), target()
012376: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Destination=, Calling IE Present=FALSE, Mode=0,
   Outgoing Dial-peer=64, Params=0x8AC344F4, Progress Indication=NULL(0)
012377: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/CCAPI/ccCheckClipClir:
   In: Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed)
012378: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/CCAPI/ccCheckClipClir:
   Out: Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed)
012379: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Destination Pattern=58.., Called Number=5838, Digit Strip=FALSE
012380: Jan  8 05:07:59.883: //-1/xxxxxxxxxxxx/CCAPI/ccCallSetupRequest:
   Calling Number=(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
   Called Number=5838(TON=Unknown, NPI=Unknown),
   Redirect Number=, Display Info=
   Account Number=, Final Destination Flag=FALSE,
   Guid=34C7B1C8-5888-11E2-8241-A5B229699913, Outgoing Dial-peer=64
012381: Jan  8 05:07:59.887: //-1/xxxxxxxxxxxx/CCAPI/cc_api_display_ie_subfields:
   ccCallSetupRequest:
   cisco-username=
   ----- ccCallInfo IE subfields -----
   cisco-ani=
   cisco-anitype=0
   cisco-aniplan=0
   cisco-anipi=0
   cisco-anisi=0
   dest=5838
   cisco-desttype=0
   cisco-destplan=0
   cisco-rdie=FFFFFFFF
   cisco-rdn=
   cisco-rdntype=-1
   cisco-rdnplan=-1
   cisco-rdnpi=-1
   cisco-rdnsi=-1
   cisco-redirectreason=-1   fwd_final_type =0
   final_redirectNumber =
   hunt_group_timeout =0

012382: Jan  8 05:07:59.887: //-1/xxxxxxxxxxxx/CCAPI/ccIFCallSetupRequestPrivate:
   Interface=0x87422DA4, Interface Type=3, Destination=, Mode=0x0,
   Call Params(Calling Number=,(Calling Name=)(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
   Called Number=5838(TON=Unknown, NPI=Unknown), Calling Translated=FALSE,
   Subscriber Type Str=, FinalDestinationFlag=FALSE, Outgoing Dial-peer=64, Call Count On=FALSE,
   Source Trkgrp Route Label=, Target Trkgrp Route Label=, tg_label_flag=0, Application Call Id=)
012383: Jan  8 05:07:59.887: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012384: Jan  8 05:07:59.887: :cc_get_feature_vsa malloc success
012385: Jan  8 05:07:59.887: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012386: Jan  8 05:07:59.887:  cc_get_feature_vsa count is 3
012387: Jan  8 05:07:59.887: //-1/xxxxxxxxxxxx/CCAPI/cc_get_feature_vsa:
   
012388: Jan  8 05:07:59.887: :FEATURE_VSA attributes are: feature_name:0,feature_time:2305469072,feature_id:237
012389: Jan  8 05:07:59.887: //197/34C7B1C88241/CCAPI/ccIFCallSetupRequestPrivate:
   SPI Call Setup Request Is Success; Interface Type=3, FlowMode=1
012390: Jan  8 05:07:59.887: //197/34C7B1C88241/CCAPI/ccCallSetContext:
   Context=0x89662894
012391: Jan  8 05:07:59.887: //197/34C7B1C88241/CCAPI/cc_api_call_disconnected:
   Cause Value=47, Interface=0x87422DA4, Call Id=197
012392: Jan  8 05:07:59.887: //197/34C7B1C88241/CCAPI/cc_api_call_disconnected:
   Call Entry(Responsed=TRUE, Cause Value=47, Retry Count=0)
012393: Jan  8 05:07:59.891: csim_do_test: cid(197), ev(12), disp(0)
012394: Jan  8 05:07:59.891: csimTraceSct: cid(197),st(0),oldst(0)
012395: Jan  8 05:07:59.891: csim err csimDisconnected recvd DISC cid(197)
012396: Jan  8 05:07:59.891: //197/34C7B1C88241/CCAPI/ccCallDisconnect:
   Cause Value=47, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=47)
012397: Jan  8 05:07:59.891: //197/34C7B1C88241/CCAPI/ccCallDisconnect:
   Cause Value=47, Call Entry(Responsed=TRUE, Cause Value=47)
012398: Jan  8 05:07:59.891: //197/34C7B1C88241/CCAPI/cc_api_call_disconnect_done:
   Disposition=-11, Interface=0x87422DA4, Tag=0x0, Call Id=197,
   Call Entry(Disconnect Cause=47, Voice Class Cause Code=0, Retry Count=0)
012399: Jan  8 05:07:59.891: //-1/34C7B1C88241/RXRULE/regxrule_stack_pop_callinfo_internal: numinfo=0x0
012400: Jan  8 05:07:59.891: //197/34C7B1C88241/CCAPI/cc_api_call_disconnect_done:
   Call Disconnect Event Sent
012401: Jan  8 05:07:59.891: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:
   
012402: Jan  8 05:07:59.891: :cc_free_feature_vsa freeing 896AAA88
012403: Jan  8 05:07:59.891: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:
   
012404: Jan  8 05:07:59.891:  vsacount in free is 2
012405: Jan  8 05:07:59.891: csim_do_test: cid(197), ev(13), disp(-11)
012406: Jan  8 05:07:59.891: csimTraceSct: cid(197),st(2),oldst(0)
012407: Jan  8 05:08:00.391: csim: loop = 1, failed = 1  
012408: Jan  8 05:08:00.391: csim: call attempted = 1, setup failed = 1, tone failed = 0

012409: Jan  8 05:08:00.391: //-1/xxxxxxxxxxxx/CCAPI/ccAppShutdownMode:
   ccAppShutdownMode: remove it from the queue
Consider configuring GRE Tunnel
This will ensure that your packets are routed across your sites.

The issue above looks like a route issue to me.
I'm open to any options to get this working.  I'm under some pressure and need some assistance.  I greatly appreciate any help from the Experts.
Avatar of fgasimzade
SITE-B#ping 172.19.1.1                  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


What is it? And ping fails? What are your voice and data subnets on both sides?
SITE-B#ping 172.19.1.1                  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


That is when I try to ping the voice vlan subinterface on Site A router sourcing from the outside interface of Site B router (10.0.1.5) - Remember the Cisco routers are sitting behind the Sonicwall firewalls.

Site A:
Voice subnet: 172.19.1.1
Data subnet:  172.19.0.1

Site B:
Voice subnet:  172.20.1.1
Data subnet:  172.20.0.1


I was looking at GRE tunnels.  That might be what I need to do here.  I'm a little confused by the commands.  Here's what I came up with:

Site A
interface Tunnel0
ip address 172.21.0.1 255.255.255.0
tunnel source Gig 0/0
tunnel destination 172.19.1.1

ip route 172.20.1.1 255.255.255.0 172.21.0.2


Site B
interface Tunnel0
ip address 172.21.0.2 255.255.255.0
tunnel source Fast 0/0
tunnel destination 172.20.1.1

ip route 172.19.1.1 255.255.255.0 172.21.0.1
Site A:
Voice subnet: 172.19.1.1
Data subnet:  172.19.0.1

Site B:
Voice subnet:  172.20.1.1
Data subnet:  172.20.0.1

so

Site A
interface Tunnel0
tunnel destination 172.19.1.1
Site B
interface Tunnel0
tunnel destination 172.20.1.1

should be
site a
int tun0
tun dest 172.20.1.1
site b
int tun0
tun dest 172.19.1.1

but, if your ipsec config works site to site generally, then you have a routing or ipsec config problem. better to find and resolve the root cause!

you should be able to ping from site a:
"ping ip 172.20.1.1 source 172.19.1.1"
or something like that (i'm not entirely sure i have the syntax correct there) and opposite for the reverse direction. if you cant, thats why your call setup is no go. maybe you missed sourcing the the cme-cme traffic from addresses that are included in the ipsec tunnel ranges, so the routers are using their "outside" interfaces?
Site A:

SITE-A#ping 172.20.1.1 source 172.19.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.19.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/40 ms

Connectivity is there when pinging both directions when sourcing from the inside interfaces.  When VoIP dial-peers match and send to their session target where do they source from?  I would think it would source from the CME address which is 172.19.1.1 and 172.20.1.1 for Site A and B.
voice-class sip bind media <source-interface>
voice-class sip bind control <source-interface>
Inside the out dial-peers that is.
So on Site B it looks like that should be the BVI100 interface since that is the CME subnet:


SITE-B(config-dial-peer)#voice-class sip bind media source-interface BVI100        
SITE-B(config-dial-peer)#voice-class sip bind media source-interface BVI100
 bind CLI has no effect as there is no change in configuration
I tried setting up the GRE tunnel and the tunnel wouldn't come up.

Site A

interface Tunnel0
bandwidth 512
ip address 172.21.0.1 255.255.255.0
tunnel source vlan 100
tunnel destination 172.20.1.1
tunnel mode gre ip
no shut

ip route 172.20.1.0 255.255.255.0 172.21.0.2


Site B

interface Tunnel0
bandwidth 512
ip address 172.21.0.2 255.255.255.0
tunnel source inter BVI100
tunnel destination 172.19.1.1
tunnel mode gre ip
no shut

ip route 172.19.1.0 255.255.255.0 172.21.0.1
from site a, try "ping 172.20.1.1 sou vl100", ie use the tunnel specs to ping and verify there is comms between each.

now, you have firewalls at both sites. do they permit protocol 47 (gre) to come in from the local subnets and go out to the internet, and does the ipsec config include protocol 47 (gre) to be tunnelled?

coming back to the ipsec config again, is the definition for traffic to be tunnelled something like (at site a)
ip 172.19.0.0/16 to 172.20.0.0/16
ip (wan facing subnet of site a router) to 172.20.0.0/16
ip (wan facing subnet of site a router) to (wan facing subnet of site b router)

and at site b, the mirror.

do the routers at each site have routes for the other sites data and voice subnets, pointing to the firewall?
do the firewalls have routes for the local subnets pointing to the routers, and routes for the other site pointing towards the internet or the ipsec tunnel - however sonicwall works?

if you get the ipsec working, you wont need the gre.
ASKER CERTIFIED SOLUTION
Avatar of jplagens
jplagens
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Closing question.