Solved

shoretel and VPNs

Posted on 2014-04-28
20
548 Views
Last Modified: 2014-05-19
2x similar sites configured.  
Site A (HQ) using a Cisco ASA 5505 firewall and an HP Switch as the GW for all clients.  2x vLans 01 (data) and 20 (voice).
Shoretel Director, E1k, Sg90 and sg90bri here on vlan20 172.16.0.0/24

Site B (remote office) no DC's with Cisco ASA 5505 and HP Switch (with vlan 1 and 20 again).
shoretel sg90 here.

Calls between LANs over VPN are fine.

Our remote users (pickup a 10.255.255.0 IP) who connect into the firewall are having issues getting voice to work between them and users at Site B.

Ideas?
0
Comment
Question by:CHI-LTD
  • 13
  • 7
20 Comments
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 40027331
Ensure your routing is correct on the VPN clients and on all your subnets.

Ensure you have the correct ports open BOTH ways on your firewalls.

Ensure you have your 10.255.255.0 listed as a site in Shoretel.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027368
well i can ping everything fine, apart from the HQ switch vlan20 to remote switch vlan20 interfaces..  
everything open.
added as ip phone address map
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40027493
also cannot ping my vlan20 interface at remote siteB from director on HQ siteA, but can ping the phones and vlan1 interface @ remote siteB.
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 40027569
It sounds like your routing may be the first issue you may want to look at.  All the phones and switches must have connectivity between them all, including from the VPN.

If you work out where your routing issue is (device), it will be a start.  It could be on your switches, or, it is possible that your VPN's are not configured with all your subnets.

On your switches type sh ip route to gather all your routes in your table.
Check your routing for your site to site VPN's as well as your clients VPN's

Feel free to post back your routing tables if you want us to go over them for you.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40028988
we have a managed company looking after the firewalls, they are confident they are configured correctly.  i'm not so sure,.

SIte B switch:

2910al_SiteB(config)# sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.168.3.1     1    static               1          1
  0.0.0.0/0          192.168.100.254 20   static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.3.0/24     DEFAULT_VLAN    1    connected            1          0
  192.168.100.0/24   Voice           20   connected            1          0


Site A:

HP-E2910al-48G-PoE(config)# sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.19.10.15    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.0.0/16      Voice           20   connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 40029401
So if I understand your routing tables .. if you ping from Site A Voice (172.16.0.0/16) to Site B Voice (192.168.100.0/24) you should go out the DGW of 172.19.10.15, go across your hosted firewalls on both ends .... the hit your remote switch.  So if you run a tracert/pathping along this path .. where do you loose it?  If you run a tracert in reverse what happens?

Q: Why do you have dual Gateways on the remote switch?  Does each VLAN go in to the firewall on separate ports?

Do you have access to the routing table on on the Firewalls?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029453
it hits the local switch here and thats it!

Tracing route to 192.168.100.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.19.4.5
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8  ^C

but i can ping the phones and the phone switch:

Pinging 192.168.100.10 with 32 bytes of data:
Reply from 192.168.100.10: bytes=32 time=7ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64

Ping statistics for 192.168.100.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms


Pinging 192.168.100.107 with 32 bytes of data:
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64
Reply from 192.168.100.107: bytes=32 time=6ms TTL=64
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64

Ping statistics for 192.168.100.107:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

yes, the hp switch at siteB has a port from each vlan going into a dedicated switch on the asa in order to route.

i will ask and post here.
0
 
LVL 9

Expert Comment

by:stu29
ID: 40029486
Your firewalls may be blocking your trace.  What is 172.19.4.5?  

You said above you could not ping VLAN20 to VLAN20?  has this changed?  Did you send the ping about FROM 172.16.0.0/16
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029505
its the vlan1 interface on the hp switch.

Sorry, i have a number of issues i'm trying to fix.  I can ping all devices from Site A to Site B apart from the vlan20 interface on the switch @ Site B.
The ping work from 172.16 and 172.19.
I just pinged the vlan20 interface on the asa @ site B with no problems.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029512
remote users however:

i can ping from the 10.255 range to site A at vlan1, and site C (all on vlan1) (sorry, not listed in original post) but unable to ping kit on vlan20.  i guess this is why we are unable to hear users at site B when using the shoretel softphone?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 40029661
here is site A switch config:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
qos type-of-service diff-services
sntp server priority 1 194.35.252.7
sntp server priority 2 81.168.77.149
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910 (top)"
   no power-over-ethernet
   exit
interface 2
   name "tp HP1910 (bottom)"
   no power-over-ethernet
   exit
interface 3
   name "to ASA 5505 fe01"
   no power-over-ethernet
   exit
interface 4
   name "Cisco_AP_172.19.3.20"
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "chi-Oaisys"
   exit
interface 11
   name "Shoretel HQ"
   exit
interface 12
   name "Ingate"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   ip helper-address 172.19.10.18
   exit
no autorun
password manager


Running configuration:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip routing
interface 1
   name "to ASA fe0/1 vlan1"
   exit
interface 2
   name "to cisco switch port 1"
   no power-over-ethernet
   exit
interface 15
   disable
   name "damaged"
   exit
interface 23
   name "Shoretel v90 BRI"
   speed-duplex 100-full
   exit
interface 24
   name "to ASA fe0/2 vlan20"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 12-24
   untagged 1-11
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 12-24
   ip address 192.168.100.1 255.255.255.0
   exit
no autorun
password manager
password operator
site B switch:
0
 
LVL 9

Expert Comment

by:stu29
ID: 40030109
OK .. so when your VPN clients come in from the 10.255 subnet, they connect to the Managed Firewall.  Their routing is defined on the Firewall which gives out the network info to the VPN clients.  If they have routing set up forward traffic from 10.255 subnet to 172.19.0.0/16 to go to 172.19.4.5, and 10.255 to 172.16.0.0/16 to go to 172.16.4.5 then their routing should be correct.  Then you would be looking at a reverse routing issue.

So ... hop on your switch and try to ping a remote client from the CLI (make sure your firewall will let pings out over the VPN).  Does this get through?  From either subnet?  If so .. then test from a device attached to the switch on each subnet.  Does this work?

You Firewall guys should be able to send you the records of what happened to the traffic (ie: From where, to where, next hop from the Firewall etc).
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40031633
okay so i can ping the remotely connected machine to Site A firewall by ip (10.255.255.*),  if i try the name it fails as its still got a local ip (when on the lan) and tries 172.19. IP.
i cannot ping the remote machine from the switch @ site B (over site to site VPN).

here is the routing info on the firewall:


C    WANIP 255.255.255.0 is directly connected, outside
C    192.168.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40031641
i can also ping the remote machine on site A from the switch at Site C (a clone of our HQ site).   So issue is more with Site B.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40031764
Site B
C    WANIP 255.255.255.0 is directly connected, outside
C    192.168.100.0 255.255.255.0 is directly connected, voice
C    192.168.3.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside


Site A
S    172.16.0.0 255.255.0.0 [1/0] via 172.19.4.5, inside
C    172.19.0.0 255.255.0.0 is directly connected, inside
C    WANIP 255.255.255.248 is directly connected, outside
S    10.255.255.15 255.255.255.255 [1/0] via WANIP, outside
S    10.255.255.16 255.255.255.255 [1/0] via WANIP, outside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside
0
 
LVL 9

Assisted Solution

by:stu29
stu29 earned 500 total points
ID: 40031911
Add a static route to your 10.255 subnet on Site B switch .. to your Site A switch.  I believe your ping is making it to your site b subnet, but doesn't know how to get back
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40043843
if thats the case would the ping still work or not?
0
 
LVL 9

Accepted Solution

by:
stu29 earned 500 total points
ID: 40044156
If it does not know the return path then no it would not.  It would make it to the destination ... but when it tries to return the response .. it will not know where to go
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40058732
looks like reverse NAT...
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40074747
it was reverse nat not set on one of the firewalls that fixed one of my issues.  this then enabled me to route from say site a to site c.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now