3CX client over VPN RTP not working

Discussion in 'Windows' started by imseanbrown, Jul 7, 2017.

Thread Status:
Not open for further replies.
  1. imseanbrown

    Joined:
    Apr 17, 2017
    Messages:
    7
    Likes Received:
    0
    Have 3CX client running works perfectly inside and outside of the office (using both direct-SIP and the tunnel). When users connect via VPN (split tunnel) the 3CX client has major issues:

    Setup:
    3CX server - no 3CX SBC.

    Here's the logical flow

    In the office (No VPN):
    3CX client -> pbx.domain.com -> 3CX Server Internal IP

    No issues to report - everything works fine.

    Out of the office (No VPN):
    3CX client -> pbx.domain.com -> External IP -> NAT -> 3CX Server Internal IP

    No issues to report - everything works fine.

    Out of the office via tunnel (No VPN)
    3CX client -> tunnel encapsulation -> pbx.domain.com -> External IP -> tunnel decapsulation -> 3CX server Internal IP

    No issues to report - everything works fine.

    Out of the office (VPN):
    3CX client -> Cisco VPN encapsultation -> Internet -> Cisco VPN Concentrator -> pbx.domain.com ->3CX Server Internal IP

    The PCAP shows that once encapsulated in the Cisco VPN, it resolves the internal IP correctly and registers with no issues. All calls setup, but no media passes because the contact IP is the physical LAN interface address of the computer not the tunnel virtual interface.

    I have verified that the interface metric is correct and windows does route split traffic correctly. It's something inside of the 3CX client that is incorrectly sending the wrong contact IP for RTP.

    Looking for help on this.
     
  2. SECOIT GmbH

    Joined:
    Apr 3, 2017
    Messages:
    66
    Likes Received:
    19
    I just reproduced this using OpenVPN on my Windows 8.1 PC.
    I connected to my office and the 3CX Phone was using the correct interface to transfer both SIP and RDP via the OpenVPN tunnel. So here with OpenVPN it's working.

    Normally Cisco uses IPSec tunnels and not all of them have a local virtual IF. Can you see your IPSec IF in "Control Panel\Network and Internet\Network Connections"?
    If so go to advanced and move the Cisco VPN adapter to the top. Does that make a difference?
    If you don't have a virtual IF for your VPN I'm not sure if that will work as with VoIP it's more than normal routing since the client and the server need to be aware of their adresses as they are submitted during 5060 communication for them being able to create a working RDP stream in both directions.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.