[asterisk-users] Cisco 7960 not always receiving incoming calls
Stephen Reese
rsreese at gmail.com
Sat Oct 18 16:40:47 CDT 2008
> As a last resort (if qualify doesn't help), you could enter this
> (global) to increase the timeout on UDP translations:
> ip nat translation udp-timeout 300 (or greater if you prefer)
>
> It is likely a NAT timeout issue. When you call outbound, you
> 'reactivate' the SIP session in your NAT device, allowing calls to come
> in until it expires (default on many devices is 60 seconds). You may
> also receive inbound calls when the phone reregisters regularly. Try
> 'qualify=yes' in your phones section in sip.conf to send keepalives
> (option packets in this case) every two seconds to the phone to keep it
> from going idle. You can see the state of the phone from the console
> with a 'sip show peers', if unreachable, your NAT device has killed the
> NAT forward.
>
> Should look like one of these:
> xxx/xxx x.x.x.x D N 5060 OK (46 ms)
> xxx/xxx x.x.x.x D N 5060 UNREACHABLE
>
> As another troubleshooting step, you can telnet to the phone and have it
> reregister with Asterisk manually ("register line 1 1") to see if that
> brings it back to life.
>
> If qualify doesn't do it, see if you can increase UDP timeouts in your
> firewall/NAT device.
I tried increasing the value and even set it to never and added the
qualify line but that did not help. Do I need to poke any holes in the
firewall on the nat device for the udp traffic to stay persistent? I
have included my routers configuration in case someone notices
something I may need to make the connection work correctly. Also when
I call the phone within the "OK" reachable time after the call
disconnects the status immediately become "UNREACHABLE".
ns1*CLI>sip show peers
Name/username Host Dyn Nat ACL Port
Status
vitel-outbound/rsreese 64.2.142.22 5060 Unmonitored
vitel-inbound/rsreese 64.2.142.116 5060 Unmonitored
101/101 68.156.63.118 D N 1038 UNREACHABLE
3 sip peers [Monitored: 0 online, 1 offline Unmonitored: 2 online, 0 offline]
[Oct 18 16:55:09] NOTICE[21216]: chan_sip.c:15231
handle_response_peerpoke: Peer '101' is now Reachable. (217ms /
2000ms)
ns1*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status
vitel-outbound/rsreese 64.2.142.22 5060 Unmonitored
vitel-inbound/rsreese 64.2.142.116 5060 Unmonitored
101/101 68.156.63.118 D N 1038 OK (217 ms)
3 sip peers [Monitored: 1 online, 0 offline Unmonitored: 2 online, 0 offline]
[Oct 18 17:24:16] NOTICE[21216]: chan_sip.c:19339 sip_p
oke_noanswer: Peer '101' is now UNREACHABLE! Last qualify: 134
CISCO CONF FOLLOWS:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname 3725router
!
boot-start-marker
boot system flash:/c3725-adventerprisek9-mz.124-21.bin
boot-end-marker
!
logging buffered 8192 debugging
logging console informational
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate slot 1
network-clock-participate slot 2
no ip source-route
!
ip traffic-export profile IDS-SNORT
interface FastEthernet0/0
bidirectional
mac-address 000c.2989.f93a
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.2.1
ip dhcp excluded-address 172.16.3.1
!
ip dhcp pool VLAN2clients
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 205.152.144.23 205.152.132.23
option 66 ip 172.16.2.10
option 150 ip 172.16.2.10
!
ip dhcp pool VLAN3clients
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 205.152.144.23 205.152.132.23
!
!
ip domain name neocipher.net
ip name-server 205.152.144.23
ip name-server 205.152.132.23
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-995375956
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-995375956
revocation-check none
rsakeypair TP-self-signed-995375956
!
!
crypto pki certificate chain TP-self-signed-995375956
certificate self-signed 01
quit
username user privilege 15 secret 5
!
!
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 10.0.0.2 no-xauth
!
crypto isakmp client configuration group VPN-Users
key
dns 2
domain neocipher.net
pool VPN_POOL
acl 115
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
match identity group VPN-Users
client authentication list default
isakmp authorization list default
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set ESP-3DES-SHA
match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
no ip unreachables
ip virtual-reassembly
!
interface Tunnel0
description HE.net
no ip address
ipv6 address
ipv6 enable
tunnel source FastEthernet0/0
tunnel destination
tunnel mode ipv6ip
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip access-group 104 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
speed 100
full-duplex
crypto map CLIENTMAP
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 10.0.0.1 255.255.240.0
ip access-group 105 in
ip verify unicast reverse-path
no ip unreachables
ip inspect SDM_LOW out
ip virtual-reassembly
clock rate 2000000
crypto map CLIENTMAP
!
interface FastEthernet0/1
no ip address
no ip unreachables
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
crypto map CLIENTMAP
!
interface FastEthernet0/1.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip access-group 102 in
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.10
!
interface Serial0/1
no ip address
no ip unreachables
shutdown
clock rate 2000000
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Loopback0
ip access-group 103 in
no ip unreachables
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.10.0 255.255.255.0 10.0.0.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout never
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging trap debugging
logging origin-id hostname
logging 172.16.2.5
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny tcp any any range 1 chargen log
access-list 101 deny tcp any any eq whois log
access-list 101 deny tcp any any eq 93 log
access-list 101 deny tcp any any range 135 139 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any range exec 518 log
access-list 101 deny tcp any any eq uucp log
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 172.16.2.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.0.15.255 any
access-list 103 deny ip 172.16.3.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny icmp any any echo log
access-list 104 deny icmp any any mask-request log
access-list 104 deny icmp any any redirect log
access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny ip host 255.255.255.255 any log
access-list 104 deny tcp any any range 6000 6063 log
access-list 104 deny tcp any any eq 6667 log
access-list 104 deny tcp any any range 12345 12346 log
access-list 104 deny tcp any any eq 31337 log
access-list 104 deny udp any any eq 2049 log
access-list 104 deny udp any any eq 31337 log
access-list 104 deny udp any any range 33400 34400 log
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny ip 172.16.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
snmp-server community public RO
ipv6 route ::/0 Tunnel0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 05080F1C2243
transport input ssh
line vty 5 903
transport input ssh
!
ntp clock-period 17180643
ntp server 129.6.15.29 source FastEthernet0/0 prefer
!
end
More information about the asterisk-users
mailing list