7921/7925 rtp traffic thru nat

Hi,
Our nat table does not time out all the udp rtp traffic from 792x wireless phones. Normal 7940/60 works fine and any other traffic. When the "left" time has counted to zero it goes to "timing-out" state and stays there unless we do manual "clear ip nat trans * "
IOS version 12.4.(11)T4 does not have this problem but never and even 15.x has the same issue. I have tested phone load 1.3.3 and 1.3.4SR2 without a change. I have tested a static and dynamic nat and no effect there. I have tested different wireless access points and no effect. It might be a tac case if anyone else has no ideas.
Does anyone have more information what might cause the problem?
Here is an example what fills the translation table:
sh ip nat trans ver
udp 172.16.119.248:20064 10.79.191.244:20064 10.76.134.119:26180 10.76.134.119:26180
    create 00:22:22, use 00:21:26 timeout:300000, timing-out,
    flags:
extended, use_count: 0, entry-id: 103, lc_entries: 0
udp 172.16.119.248:25824 10.79.191.244:25824 10.76.134.119:16528 10.76.134.119:16528
    create 00:23:59, use 00:23:57 timeout:300000, timing-out,
    flags:
extended, use_count: 0, entry-id: 98, lc_entries: 0

Hi Janne, if this is still a hanging issue, I suggest you move the thread under network infra, routing or switching.
Cheers
Serge

Similar Messages

  • ASA 5505 site to site RTP traffic is hitting deny all rule

    Hello,
    Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
    Currently the rules are as follows
    Incoming External
    allow ip any any
    allow tcp any any
    allow udp any any
    default deny
    Incoming Internal
    allow ip any any
    allow tcp any any
    allow udp any any
    default deny
    It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

    Hi Daniel,
    I guess there is support feature issue with the ASA sending VOIP traffic over VPN
    The ASA Phone Proxy does not  support inspection of packets from phones connecting to it over a VPN  tunnel. Therefore, sending phone proxy traffic through a VPN tunnel is  not supported.
    Note The ASA 5500 appliances running version 8.4 can support the Phone Proxy feature when integrated with Unified CM 8.0(x) but do not support Phone Proxy with Unified CM versions 8.5(x) and 8.6(x).
    Please do rate if the given information helps.
    By
    Karthik

  • How to access shared volume (AFP) thru NAT firewall for 2 or more Macs?

    Problem: I need to selectively access either of two macs on remote network, thru NAT router/switch, for file sharing from the remotes. I'm in Oregon; computers are in Hawaii on other side of a new Netgear wired router that works perfectly so far for Tumbuktu management (control & screen sharing). (On router, I forwarded ports 1417 and 1419 to the two computers, repectively. Then picking the port from here = Timbuktu access to the intended computer.)
    I have set up the router to forward port 548 (Apple AFP) to ONE of the computers' fixed IP addresses on the LAN (Say, 192.168.10.2). Works perfectly for that computer. But what other ports could I possible forward to computer #2 (192.168.10.3) that would pass AFP? I have tried a couple "unassigned" ports (e.g. 7555, 8548) with no success.
    Is there a trick or workaround I should know about? Any help would be appreciated.

    To do what you want with your current setup you need to run apple sharing on one of the other macs on a different port. So you can have 2 nat rules.
    Change your AFP port
    However it is not safe to open up filesharing to the internet unless you are going through a VPN connection or an SSH tunnel.
    SSH is already available on your macs. If you opened one mac's ssh port to the internet that is all you need. Then you only need to open tcp port 22 and setup a NAT rule to that mac's IP address. Turn on remote login in the sharing preferences.
    SSH can be made even more secure if you turn off password authentication and use public key authentication.
    Setting up public key authentication over SSH
    When SSH is running you can use ssh tunneling to open any other network port you want.
    Example
    this command in the terminal would do for AFP.
    ssh user@server -L 5548:localhost:548
    then in your finder you could connect to
    afp://localhost:5548
    other than that invest in an affordable VPN router. They are not expensive. Then once you engage the vpn connection you would get a Local IP from your network and connect to your other macs as if you are locally connected.

  • RTP Traffic Prioritization over BGP

    We have implemented our QoS Policies throughout our network. DSCP tagged EF and CS6 packets are being prioritized correctly on all of our interfaces with the exception of the BGP connected link. CS6 packets are being prioritized, however, EF packets (RTP traffic) is not. The BGP link is using VRF VPN's- does this have something to do with it? Is there something special that has to be done to be able to prioritize this traffic?
    Greg

    Actually, we are tagging traffic ourselves as it comes into our router. EF IS being tagged correctly, and going outbound toward the serial, ethernet, and multilink interfaces it is prioritized correctly going out. On our BGP connections between core routers and to provider edge routers, it is not. All of these BGP links are within our system- no external provider.
    Greg

  • Amcom Messenger Service to Cisco 7921/7925

    When we try and send a message to a 7921/7925 phone.
    We get this error message in AMCOM "Unable to send message to #MAC# due to no IP address. The device is either off, recently turned on, Unregistered or not within the CUCM"
    The Amcom message goes through but we get no alert on the phone that we received it .
    It was working fine didn't make any changes to Call Manager.
    Amcom Messenger  V5.5.6
    CUCM V8.5.1
    Has anyone had the same issue?

    Hey bud,
    Did you figure this out ? We are having a very similar issue..

  • RTP Traffic not seen with debug IP packet

    Hi,
    We placed a Debug Ip Packet detail in ACL (any to host destination) but RTP traffic wasn´t see.
    Rtp session is stablished and debug rtp packets is a hard debug. Debug ip rtp ip and port is not enough information about packet.
    Sniffer is not possible at customer site.
    Do you have any idea for check with debug IP Packet?
    Regards,
    Víctor

    Have you tried the suggested PCM capture procedure from Cisco below:
    # config t
    # voice hpi capture buffer 3000000        ( to configure the capture buffer.)
    # voice hpi capture destination flash:pcm.dat   (to specify the destination file.)
    Once you have the above configured you are ready to capture the PCM stream from the router.  Start a test call and leave it connected.
    1.  Enter "show voice call status" and determine what voice port a trouble call is using.
    2.  Enter "test voice port 1/0/4 pcm-dump caplog 7" where 1/0/4 is the number of the port that has the problem call up.
    - You can check the status of the capture using the following command: sh voice hpi capture
    - Make sure you have capture the whole duration of the problem call.  Then stop the capture, enter "test voice port 1/0/4 pcm-dump disable"
    - When you are done capturing, just enter configure terminal again and do the following:
      no voice hpi capture destination flash:pcm.dat
      no voice hpi capture buffer 300000
    Following that, email the capture file pcm.dat to TAC for further analysis.

  • Cisco 7921/7925 sound information leaving WLAN

    Hi,
    is it possible to play an beep or something else on the 7921/7925 if the phone is leaving the wireless service are?
    Regards
    Paul

    Correct.  This is documented in the 7925G Deployment Guide as well, where this option is configured per phone in the Cisco CUCM.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

  • Incoming RTP traffic blocked by SPA112 ATA: UDP port unreachable

    Hi folks,
    I'm using a Cisco SPA112 ATA behind a NAT, where port 5060,5061 and 16384-16482 are forwarded. Registration to the SIP proxy also works fine. However, I'm struggling with audio issues, meaning that the RTP session is not setup properly.
    When investigating this issue at the packet-level, I found that the ATA itself is blocking traffic:
    21:00:21.857655 IP 192.168.x.y > 82.197.a.b: ICMP 192.168.x.y udp port 16452 unreachable, length 208
    The blocked port number depends per session, but is always between 16384 and 16482.
    Actually, the issue sounds very much like in [1]. However, the proposed solution (disabling CDP) is not of any help to me, since it's disabled on my ATA by default. Any clue what could be the reason for this behaviour? Your help is greatly appreciated.
    [1] https://supportforums.cisco.com/discussion/11470321/spa-962-intermittently-no-audio-rtp-port-closedunreachable

    Hi,
    You can try this packet Tracer:-
    packet input outside udp <External Source Ip on the internet>  45657 <Outside interface IP> 43139 det
    For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
    For more information on captures:-
    https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
    Let me know if you have any further queries.
    Thanks and Regards,
    Vibhor Amrodia

  • Allow RTP traffic to pass through different subnets

    I'm having trouble setting up a two-radio system. We have a location on a subnet and everything local functions correctly. But we also have a remote site that has an antenna and that remote site can communicate with the main location except with RTP. Below is a crude version of the setup to help visualize it.
    radio --> Cisco 3560 -->3750--->3750---(ATT Gigaman)--> 6807 (main data center) ---(TWC Point-to-point)--> 4507 (remote core) -->3560-->radio
    As I said I can ping, ssh, communicate in every way possible between the two locations but at the remote site the radio is unable to communicate via RTP.
    Any suggestions or ideas on what the problem could be? I was advised to create span ports from remote to home and run wireshark each time to see where it fails, but the remote site is an hour away and I'd like to avoid the 2hr drive to try that.

    Just in case anyone else encounters this issue what I had to do was enable multicast through the entire path between the radio at the remote site and the server at the main site. We narrowed the multicast to the VLAN's that were going to be passing the radio traffic.

  • Send RTP stream to NAT address

    Hi,
    i want to transmit a RTP stream from a server to a host in a LAN.
    This host has a NAT address and it's non real IP address, so i can't send any stream trought usage of SessionManager API because it need to know a public IP.
    The other issue is that in a LAN, in most popular cases, there is a firewall that close the connection from internet to their hosts.
    I think this solution:
    1) LAN's hosts can intiate the connection with server sending a non real RTP data
    2)Server store the SessionManager of this connection
    3)server can send your RTP stream now
    Someone have a more good solution or any suggestion?
    Thank for all
    [email protected]

    I have one appletTransmitter that capture video from webcam and transmit it to other client on internet.
    I try to transmit medialocator from appletTransmitter to servlet1 and then save MedialLocator as servlet attribute, then other client can connect to servlet2 that send saved MediaLocator to appletClient.
    APPLETTRANSMITTER:
    URL url=null;
    MediaLocator media=new MediaLocator("vfw://0");
    try{
    url = new URL("http://localhost:8080/servlet1");
    catch(MalformedURLException mue){mue.printStackTrace();}
    URLConnection conn=null;
    try{
    conn = url.openConnection();
    catch(IOException ioe){ioe.printStackTrace();}
    conn.setDoOutput(true);
    OutputStream os=null;
    ObjectOutputStream oos=null;
    InputStream in=null;
    ObjectInputStream iin=null;
    MediaLocator mResp=null;
    String r=null;
    try{
    os=conn.getOutputStream();
    oos=new ObjectOutputStream(os);
    oos.writeObject(media);
    //oos.writeObject("Prova Servlet");
    oos.flush();
    catch(IOException io){io.printStackTrace();}
    catch(ClassNotFoundException cn){cn.printStackTrace();}
    SERVLET1
    ObjectInputStream objin = new ObjectInputStream(request.getInputStream());
    MediaLocator ml =null;
    try{
    ml = (MediaLocator) objin.readObject();
    context.setAttribute("media",ml);
    catch(ClassNotFoundException e)
    {e.printStackTrace()}
    But on servlet1 there is a ClassNotFoundException: MediaLocator
    What do we think about the solution and exception problem?
    Best Regards,
    Nico from Italy

  • Allow IPSEC traffic thru 871?

    I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
    How can I allow IPSEC traffic to pass thru the 871?

    If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
    try this on your 871 router.
    access-list 101 permit udp any any eq 500 log
    access-list 101 permit udp any any eq 4500 log
    access-list 101 permit esp any any log
    apply acl-101 to your outbound interface
    access-group 101 in
    HTH
    Jorge

  • 7921/7925 Battery Life & Battery Condition

    Hi All,
    I recently encountered an issue with battery life on the 7921 and 7925 phones following an update to 1.4(4.3) - the volume of complaitns about shorter battery life from end-users using these phones has gone up quite significantly.
    I was wondering if there are any known bugs with this version (so far I have not been able to locate any), and as well if there are any known devices which can used to test the condition of the batteries in these phones. I have contacted Cisco directly, and no such device appears to exist (at least no publically available device). Has anyone successfully used any third party devices or methods for testing the condition of these batteries?
    Best Regards,
    -Evan

    If I can afford a complement to the question. A battery, such as CM0708 # # # # # # # # entirely new (no charging) will it be as good or needs to be replaced anyway?
    In addition, I would like to know if it is better to wait until the battery is completely flat to a charging where to place the phone on charge at all times ?
    Do leave a phone on charge for extended periods (weeks, months) may damage the battery ?
    Ce message a été modifié par: Dany Fortin

  • IP Phone 7921 / 7925 roaming issues after WLC upgrade from Version 7.2 to 7.3 and / or 7.4

    Hi,
    We have a customer which is using a Cisco WLC 5508 and 3502I APs. As he used the 7.2.103 release, There were no issues with VoWLAN. Now he needed new APs and ordered the 2602I. To use them he needed to upgrade the WLC to a 7.3 or later release. After the upgrade, he now encounters problems while roaming with the phones. The phones were tested with FW 1.4.1, 1.4.2 and 1.4.3.
    Configuration is set according to wireless voice design guides (VoWLAN DG 4.1, 7921 Deployment Guide). A Cisco TAC is also in progress, but they seem to be uncertain whether it is a wireless or CUCM issue, but I don't see a reason why it should be the CUCM when the only thing changed is the WLC Software Version.
    Is there anybody who is aware of such issues and can offer help?
    Thank you in advance.
    Best regards,
    Patrick

    Hi,
    we had a TAC ticket open with this customer and after some time, the TAC gave us the advise to use this release and the problems are now solved.
    So for others having the same issue: If you only need to support the 2600 APs, stay with the latest 7.2 release as there are some issues with the 7.3 and 7.4 release. If the customer requires HA, AVC or any of the new features + wireless voice, be very careful as it seems that the newer releases are having problems with that. I hope that Cisco will fix this very soon.
    regards,
    Patrick

  • Access-Point Names in Site Survey 7921 / 7925

    In some of our facilities, I'm able to see the AP name in my survey tool of my 792x phone.  Yet in others, I only see the MAC address.  Am I missing a WLC configuration somewhere that allows this to appear on my phone?

    Thanks for the reply.  Functionally, the phone works throughout the entire building and I'm only referring to 1 internal SSID used by the phones in my scenarios described below.
    We have a multi-floor building.  One some floors of the building, while using my 7925, I'm able to view the AP name.  Yet - on other floors of the same building, I see only the AP MAC address.
    We have floors mapped to specific WLCs. So floor 1 will be mapped to WLC 1, floor 2 will be mapped to WLC 2....etc.   So it must be a setting with the WLC that publishes the AP name to the phone.

  • Timeouts on non load balanced traffic thru ACE

    I have a backend server creating a connection to a db server outside the ACE environment. This traffic is using the L3 function of the ACE and is not being load balanced. The connection is timing out after 1 hour. I have normalization disabled on the backend server VLAN but not on the front side VLAN of the ACE.
    2 Questions:
    - With normalization disabled do I still need to change the tcp inactivity timeout for this traffic? Or with normalization disabled shouldn't the non load balanced traffic be L3 routed and not effected by the tcp timeout value?
    - Also do I need to disable normalization on the front side VLAN of the ACE?
    thanks,
    kurt

    As per
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/tcpipnrm.html#wp1075741
    "Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is always enabled for Layer 7 traffic."
    By disabling TCP normalization the following Layer 4 connection parameters are ignored.
    exceed-mss-----Configure behavior if a packet exceeds MSS
    random-seq-num-disable----Disable TCP sequence number randomization
    reserved-bits-----Configure Reserved bits in TCP header
    syn-data-----Configure behavior for a SYN packet containing data
    tcp-options-----Configure TCP header options
    urgent-flag-----Allow/Clear Urgent flag
    I think you will need "Set timeout inactivity xxxx" command even if "no normalization" command is defined.
    Syed Iftekhar Ahmed

Maybe you are looking for

  • ITunes using old, out of date, Apple ID

    I'm trying to sync my iPone 5 to my iMac (21.5-inch, Mid 2011 running OS X Yosemite 10.10.1) and I keep getting this message:- "This computer is no longer authorized for apps that are installed on the iPhone "Iain's iPhone". Would you like to authori

  • The image color in Windows Photo Gallery is wrong, same image in other program color is correct.

     This is the correct color form Google Image: This is the color from Windows Photo Gallery:   It looks like it is a issue of Windows Photo Gallery bcause if the same image is opened in another program(Photoshop, paint, etc), the color stays same, the

  • BPEL : Setting the default start value for instance ID

    The instance ID for the processes are generated by the system, is it possible to set the starting value for the instance id. for eg: when I deployed a new process on a fresh installation and created an instance through BPEL console, it created a new

  • Why are the localStorage objects unavailable to Safari while Private Browsing?

    According to these two sites http://caniuse.com/#feat=namevalue-storage http://apple.stackexchange.com/questions/131587/how-can-a-web-site-determine-if- safari-private-browsing-is-turned-on HTML5 localStorage objects aren't accessible when users visi

  • Master reset/delete on a TX

    I'm getting rid of my old TX and I want to delete all of my settings and data on it.  How does one go about doing this?  I've searched and can't find my solution. Thanks Sam