shoretel and VPNs

2x similar sites configured.  
Site A (HQ) using a Cisco ASA 5505 firewall and an HP Switch as the GW for all clients.  2x vLans 01 (data) and 20 (voice).
Shoretel Director, E1k, Sg90 and sg90bri here on vlan20 172.16.0.0/24

Site B (remote office) no DC's with Cisco ASA 5505 and HP Switch (with vlan 1 and 20 again).
shoretel sg90 here.

Calls between LANs over VPN are fine.

Our remote users (pickup a 10.255.255.0 IP) who connect into the firewall are having issues getting voice to work between them and users at Site B.

Ideas?
LVL 1
CHI-LTDAsked:
Who is Participating?
 
stu29Connect With a Mentor Commented:
If it does not know the return path then no it would not.  It would make it to the destination ... but when it tries to return the response .. it will not know where to go
0
 
stu29Connect With a Mentor Commented:
Ensure your routing is correct on the VPN clients and on all your subnets.

Ensure you have the correct ports open BOTH ways on your firewalls.

Ensure you have your 10.255.255.0 listed as a site in Shoretel.
0
 
CHI-LTDAuthor Commented:
well i can ping everything fine, apart from the HQ switch vlan20 to remote switch vlan20 interfaces..  
everything open.
added as ip phone address map
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
CHI-LTDAuthor Commented:
also cannot ping my vlan20 interface at remote siteB from director on HQ siteA, but can ping the phones and vlan1 interface @ remote siteB.
0
 
stu29Connect With a Mentor Commented:
It sounds like your routing may be the first issue you may want to look at.  All the phones and switches must have connectivity between them all, including from the VPN.

If you work out where your routing issue is (device), it will be a start.  It could be on your switches, or, it is possible that your VPN's are not configured with all your subnets.

On your switches type sh ip route to gather all your routes in your table.
Check your routing for your site to site VPN's as well as your clients VPN's

Feel free to post back your routing tables if you want us to go over them for you.
0
 
CHI-LTDAuthor Commented:
we have a managed company looking after the firewalls, they are confident they are configured correctly.  i'm not so sure,.

SIte B switch:

2910al_SiteB(config)# sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.168.3.1     1    static               1          1
  0.0.0.0/0          192.168.100.254 20   static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.3.0/24     DEFAULT_VLAN    1    connected            1          0
  192.168.100.0/24   Voice           20   connected            1          0


Site A:

HP-E2910al-48G-PoE(config)# sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.19.10.15    1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.0.0/16      Voice           20   connected            1          0
  172.19.0.0/16      DEFAULT_VLAN    1    connected            1          0
0
 
stu29Connect With a Mentor Commented:
So if I understand your routing tables .. if you ping from Site A Voice (172.16.0.0/16) to Site B Voice (192.168.100.0/24) you should go out the DGW of 172.19.10.15, go across your hosted firewalls on both ends .... the hit your remote switch.  So if you run a tracert/pathping along this path .. where do you loose it?  If you run a tracert in reverse what happens?

Q: Why do you have dual Gateways on the remote switch?  Does each VLAN go in to the firewall on separate ports?

Do you have access to the routing table on on the Firewalls?
0
 
CHI-LTDAuthor Commented:
it hits the local switch here and thats it!

Tracing route to 192.168.100.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.19.4.5
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8  ^C

but i can ping the phones and the phone switch:

Pinging 192.168.100.10 with 32 bytes of data:
Reply from 192.168.100.10: bytes=32 time=7ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64
Reply from 192.168.100.10: bytes=32 time=6ms TTL=64

Ping statistics for 192.168.100.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms


Pinging 192.168.100.107 with 32 bytes of data:
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64
Reply from 192.168.100.107: bytes=32 time=6ms TTL=64
Reply from 192.168.100.107: bytes=32 time=7ms TTL=64

Ping statistics for 192.168.100.107:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

yes, the hp switch at siteB has a port from each vlan going into a dedicated switch on the asa in order to route.

i will ask and post here.
0
 
stu29Commented:
Your firewalls may be blocking your trace.  What is 172.19.4.5?  

You said above you could not ping VLAN20 to VLAN20?  has this changed?  Did you send the ping about FROM 172.16.0.0/16
0
 
CHI-LTDAuthor Commented:
its the vlan1 interface on the hp switch.

Sorry, i have a number of issues i'm trying to fix.  I can ping all devices from Site A to Site B apart from the vlan20 interface on the switch @ Site B.
The ping work from 172.16 and 172.19.
I just pinged the vlan20 interface on the asa @ site B with no problems.
0
 
CHI-LTDAuthor Commented:
remote users however:

i can ping from the 10.255 range to site A at vlan1, and site C (all on vlan1) (sorry, not listed in original post) but unable to ping kit on vlan20.  i guess this is why we are unable to hear users at site B when using the shoretel softphone?
0
 
CHI-LTDAuthor Commented:
here is site A switch config:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
qos type-of-service diff-services
sntp server priority 1 194.35.252.7
sntp server priority 2 81.168.77.149
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910 (top)"
   no power-over-ethernet
   exit
interface 2
   name "tp HP1910 (bottom)"
   no power-over-ethernet
   exit
interface 3
   name "to ASA 5505 fe01"
   no power-over-ethernet
   exit
interface 4
   name "Cisco_AP_172.19.3.20"
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "chi-Oaisys"
   exit
interface 11
   name "Shoretel HQ"
   exit
interface 12
   name "Ingate"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   ip helper-address 172.19.10.18
   exit
no autorun
password manager


Running configuration:

; J9146A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "2910al_London"
module 1 type j9146a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip routing
interface 1
   name "to ASA fe0/1 vlan1"
   exit
interface 2
   name "to cisco switch port 1"
   no power-over-ethernet
   exit
interface 15
   disable
   name "damaged"
   exit
interface 23
   name "Shoretel v90 BRI"
   speed-duplex 100-full
   exit
interface 24
   name "to ASA fe0/2 vlan20"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT" location "London"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 12-24
   untagged 1-11
   ip address 192.168.3.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 12-24
   ip address 192.168.100.1 255.255.255.0
   exit
no autorun
password manager
password operator
site B switch:
0
 
stu29Commented:
OK .. so when your VPN clients come in from the 10.255 subnet, they connect to the Managed Firewall.  Their routing is defined on the Firewall which gives out the network info to the VPN clients.  If they have routing set up forward traffic from 10.255 subnet to 172.19.0.0/16 to go to 172.19.4.5, and 10.255 to 172.16.0.0/16 to go to 172.16.4.5 then their routing should be correct.  Then you would be looking at a reverse routing issue.

So ... hop on your switch and try to ping a remote client from the CLI (make sure your firewall will let pings out over the VPN).  Does this get through?  From either subnet?  If so .. then test from a device attached to the switch on each subnet.  Does this work?

You Firewall guys should be able to send you the records of what happened to the traffic (ie: From where, to where, next hop from the Firewall etc).
0
 
CHI-LTDAuthor Commented:
okay so i can ping the remotely connected machine to Site A firewall by ip (10.255.255.*),  if i try the name it fails as its still got a local ip (when on the lan) and tries 172.19. IP.
i cannot ping the remote machine from the switch @ site B (over site to site VPN).

here is the routing info on the firewall:


C    WANIP 255.255.255.0 is directly connected, outside
C    192.168.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside
0
 
CHI-LTDAuthor Commented:
i can also ping the remote machine on site A from the switch at Site C (a clone of our HQ site).   So issue is more with Site B.
0
 
CHI-LTDAuthor Commented:
Site B
C    WANIP 255.255.255.0 is directly connected, outside
C    192.168.100.0 255.255.255.0 is directly connected, voice
C    192.168.3.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside


Site A
S    172.16.0.0 255.255.0.0 [1/0] via 172.19.4.5, inside
C    172.19.0.0 255.255.0.0 is directly connected, inside
C    WANIP 255.255.255.248 is directly connected, outside
S    10.255.255.15 255.255.255.255 [1/0] via WANIP, outside
S    10.255.255.16 255.255.255.255 [1/0] via WANIP, outside
S*   0.0.0.0 0.0.0.0 [1/0] via WANIP, outside
0
 
stu29Connect With a Mentor Commented:
Add a static route to your 10.255 subnet on Site B switch .. to your Site A switch.  I believe your ping is making it to your site b subnet, but doesn't know how to get back
0
 
CHI-LTDAuthor Commented:
if thats the case would the ping still work or not?
0
 
CHI-LTDAuthor Commented:
looks like reverse NAT...
0
 
CHI-LTDAuthor Commented:
it was reverse nat not set on one of the firewalls that fixed one of my issues.  this then enabled me to route from say site a to site c.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.