My company has a Cisco VOIP phone system. We recently switched over to PAN220 to PAN220 firewalls w/ IPSEC VPN tunnel connectivity between our two locations. We are experiencing significant problems with a single Cisco ATA 191 SIP device:
This phone regularly has call audio and or connectivity problems where the caller places a call and they can hear the far end receiver, but that person cannot hear the caller. Other times the call will hang, fail, etc. The device is currently configured to require the media termination point (CUCM phone server) for calls/connectivity. The CUCM server is located back at the head end and the ATA is located at the remote VPN site.
Our firewalls are currently set to alert-only as they are new and we have not turned up the features yet.
We did not seem to have this issue prior to switching to Palo Altos (away from the ASAs). Things we have tried on the Palo Alto:
1. Disabled SIP ALG
2. Policy override for device traffic
3. Different Crypto/IPSec tunnel encryption/settings
4. Logging/wireshark/packet captures (no evidence of dropped packets or blocked ports/protocols)
Other phones (Cisco 8851s) work without issue at the remote end. It seems to be something related directly to the ATA 191 and the Palo Altos. I have scoured the internet but have not seen anything similar to this issue. Are there any Palo/CUCM buffs out there who might be able to throw me a line?
Are you using NAT in this communication?
Also please check this.
Thank you for the reply. We are currently not NAT'ing any traffic across the VPN, and the problem only exists on that single ATA 191 device. The link you sent me is intriguing, but I'm very hesitant of going down the road of changing the Outgoing Transport Type from TCP to UDP for our entire CUCM in an effort to correct a problem with a single ATA.
It seems like there would be significant risk in terms of call quality if changing from stateful TCP traffic to straight UDP (throw packets at the wall and see what sticks), no?
Any other advice you could offer would be most appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!