Skip navigation
Cisco Learning Home > Certifications > Security > ASA Specialist > Discussions

_Communities

6531 Views 3 Replies Latest reply: Jul 29, 2009 8:46 AM by Paul Stewart - CCIE Security, CCSI RSS

Currently Being Moderated

Cisco ASA - VPN tunnels & VoIP

Jul 29, 2009 6:24 AM

zoranm 16 posts since
Apr 16, 2009

Hello,

 

I have huge problem.

 

In some branch offices we have ASA FW 5505 ...

This branch offices are connected trough VPN IP-sec tunnels ... But ...

 

If tunnels down, as after some time usualy is, Cisco VoIP calls DO NOT GET IT UP ...

 

I must, from central office, connect to branch office, and ping other branch office ...

First ping not pass, but other 4, and all other did pass ...

 

Then, tunnel is UP ... for some time ... I think 8 hours ...

 

It is very anoing, to check every day all the tunnels, but more anoing is when our director can't call some other director ...

 

 

Best regards,

Z

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Jul 29, 2009 7:37 AM (in response to zoranm)
    Re: Cisco ASA - VPN tunnels & VoIP

    If the phones are skinny, there should be enough traffic in the form of keep alives to keep the tunnels up.  If the tunnels happen to be down, the call processor would not know where the phone is and thus would not generate interesting traffic.  There are a lot of variables here, to determine the root cause of the issue.  One work around might to be to use the ip sla option in the ASA to ping through the tunnel.  I haven't tried, it on the ASA, but it certainly exists.  I have done this on the IOS and it works well.  My only question on the ASA is if you can source it from the inside interface to get the traffic interesting for the tunnel.  My concern is that if you specify the inside interface that it will not route, but if you specify the outside interface, the traffic will not match the crypto acl. If this is the case, that will not be a work around either.

     

    Out of curiosity, is this a L2L vpn where the public endpoints are known, or is this an EZ VPN?  Also, is this a SIP, or a Skinny based phone system?  Can the tunnel be initiated from either end if it is L2L as opposed to EZ VPN?  Is it possible that dead peer detection, or ike keepalives are disabled on one or both ends?  I can see how this could be an issue if it were SIP on an EZ VPN and it was configured only to bring the tunnel up for interesting traffic.  This is because the interesting traffic may be on the opposite end.  Please post back any thoughts this may have stirred up.

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    3. Jul 29, 2009 8:46 AM (in response to zoranm)
    Re: Cisco ASA - VPN tunnels & VoIP

    Regarding both of the questions on sourcing and specifying in regards to SLA--I do not think SLA would be an option with the ASA.  SLA is an option whereby the device (in your case the ASA) itself can issue a ping.  However, I do not think that with the way the code is currently written that you could get the traffic to go through the tunnel. I probably shouldn't have brought that up, but it works well with IOS and the virtual tunnel interface.

     

    It is strange that the tunnel would ever go down.  The Skinny phones send a keep-alive to the Call Manager every 30 seconds.  If that traffic goes through the tunnel, it should keep it up and bring it up if it ever dropped.  I would make sure that there that if you tear down the tunnel that it can be brought up from either end.  It should work that way.  If not, you may have a mismatch of some parameter like PFS or something.  Maybe a view the output of "debug crypto isakmp 127" on both ends might help during the time period that it drops and shortly thereafter.  I wish I had more to offer.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)