We are in the process of converting over to Palo Alto firewalls at our remote locations from ASA firewalls. A few of our sites now are having some strange issues when attempting to make phone calls.We are a Cisco call manager shop.
Here is a basic setup of our network:
Remote Office <-Site to site VPN tunnell-> Main Office
Voice setup between those locations:
Analog lines (connected to router) - Remote Router - Remote Palo Alto <-Site to site VPN tunnell-> Main Office ASA firewall - Main Office Call-Manager
When someone at the remote location dials a external number, the phones SOMETIMES rings busy, even when the external phone number is not actually busy (tested and verified). The call will go through to the remote number but when they answer all they get is dead air. SOMETIMES the call goes through just fine. SOMETIMES when the call works and when the external number hangs up first the call stays active on the remote office's desk phone.
We've tried turning off ALG inside the SIP application, but when we test locally by setting up the calling search space to the remote office at a main office phone where we work, we still have problems.
So one thing I would look at is if the phones connection to CUCM is being force closed by the firewall. It's been a few years, but I remember an issue where the phones would silently have to "re-register" in a sense to the CUCM server because it wasn't sending enough keep-alive traffic to keep the connection active.
Is there any NAT going on?
Just to the internet, but not for the devices over the VPN
Are you running SIP or SCCP?
can you see the SIP/SCP/RTP in session browser?
Yes, but because it takes a few tries for us to get a busy signal I am not sure which logs are whitch. I just turned on log at session start to see if that helps identify what is going on when. I'll report back.
Updates! We switched the "Outgoing Transport Type" from TCP+UDP to UDP and that seems to have cleared up the issue. I have a support case open and a call tomorrow to talk about it, we'll see what they say.
Hello I am having the same issue with a firewall that I upgraded to 9.0.5. can you please tell me how you switched the "Outgoing Transport Type" from TCP+UDP to UDP ?
I really appreciate your help.
Here you go, this is from our Voice Engineer.
System -> Security -> SIP Trunk Security Profile.
Select the profile you are currently using on your SIP trunk(s)
Under ‘Outgoing transport type’ – change it to UDP. Then reset. This will reset your SIP trunk(s) and disconnect any active calls.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!