One way audio - Remote Aastra Handset, No NAT in the way

Discussion in '3CX Phone System - General' started by ChrisPriest, Mar 9, 2011.

Thread Status:
Not open for further replies.
  1. ChrisPriest

    Joined:
    Feb 17, 2010
    Messages:
    20
    Likes Received:
    0
    Hi All,

    I have a site to site VPN from my home office to my work office, I have configured an Aastra 57i and it registers with the 3CX server without any problems, however no matter how hard I try, I cannot get audio to work.

    If I check 'PBX delivers audio' I get audio from my home office to the main office, but I cannot hear them, with it turned off, there is no audio at all.

    The VPN is established between two Juniper Firewall devices and the policy allows all traffic, TCP and UDP to flow between the two private subnets.

    I don't think it's a NAT issue, although I could be wrong, although I am not performing any NAT over the VPN.

    I can ping then phone from both sites, and also the 3CX server, but still no joy.

    Anyone got any thoughts? Or has anyone set up a phone in this manner who could share some tips?

    Many thanks
    Chris
     
  2. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Firstly I am going to prefix this by saying we recommend using the tunnel as it will solve all the audio and firewall problems for you. The proxy is a free download for a pc in your home office. The tunnel is ready to go (check the password and make sure port 5090 is open on your firewall).

    If you want to stick to the VPN then we have to find out what component is blocking the RTP (UDP 7000-7049).

    It sounds as if you have your routing set up correctly as you can ping the phone from the other site through the vpn.

    Does the phone have a web interface? If so can you reach that interface from the work office using the home office lan ip of the phone?

    If you can then you have set up routing correctly to allow the audio to reach the phone as audio is one way per UDP port not a request/response type mechanism.

    So then something is blocking it. I would suspect the Juniper on the home office end. Make sure that the UDP ports are allowed. Also make sure that there is no SIP Helper or ALG enabled in any of the firewalls.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mfm

    mfm Active Member

    Joined:
    Mar 4, 2010
    Messages:
    641
    Likes Received:
    2
    Hi,

    It sounds like an incorrect IP is being sent from your phone to the PBX. However it is hard to say without a wireshark capture. IF you understand sip captures can you please identify what Ip audio is being requested on and what port.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1

    The tunnel (aka 3CX SIP Proxy over tunnel) is not supported with Astra phones in case you are are unaware of it
    If there is NO NAT then there is no traditional firewall in place and no ALG needed. Is the VPN setup in bridge mode? One way audio I assume it means that it registers just fine. Try changing: ALLOW SOURCE AS OUTBOUND to enabled (custom parameters). Wireshark on the server would be the best way to pinpoint the issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Thank you for pointing that out. You are correct in that it is not officially supported. I have a customer who claims he has a 53i going out over the proxy from his other office. I have taken him at his word as his other phones are all set to use the proxy, but it may be incorrect.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    We had a spare old netscreen in the office so we put this to the test. I do not know if it is the same as your case but I set it up as you described.

    Site to Site VPN. Full tunnel with routing to both sides. Firewall allows any/any in both directions.

    With sip alg on i had one way audio. With alg off i had audio both ways.

    But! This is a big but. I had OS6.1 on there - there are some known sip bugs in that release. I also went to our Juniper tech support people and they "implied" that the sip alg if enabled will parse the requests regardless. However it should NOT be affecting anything.

    That may help you, if you have the same OS etc.

    The sure way of finding out (as others have mentioned) is to wireshark it, but if you dont know what you are looking for/at then by all means PM me and I will walk you through it and give you an email address to send the capture.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ChrisPriest

    Joined:
    Feb 17, 2010
    Messages:
    20
    Likes Received:
    0
    Hi Mark,

    Thank you for that tip!! Indeed, switching off the ALG gave me audio in both directions.

    Much Appreciated :)

    Best Regards
    Chris
     
Thread Status:
Not open for further replies.