Webex phone service and NSA 5600
Trevor
Newbie ✭
We just went to a cloud-based VOIP service provided by Webex using Cisco physical phones. It is generally working well, but we're having an occasional problem where there is no audio on calls both from the outside and internally. In the logs, I'm seeing the following sporadically:
16:27:42 Jan 25 524 Network Notice Web access Request dropped 184.105.247.251, 47136, X1 192.168.1.4, 443, X7:V1030 tcp packet not allowed by policy
16:26:18 Jan 25 524 Network Notice Web access Request dropped 179.43.143.186, 41410, X1 192.168.1.253, 443, X7:V1030 tcp packet not allowed by policy
16:17:45 Jan 25 524 Network Notice Web access Request dropped 207.154.247.213, 36125, X1 192.168.1.4, 443, X7:V1030 tcp packet not allowed by policy
15:46:36 Jan 25 524 Network Notice Web access Request dropped 92.118.39.82, 40605, X1 192.168.1.4, 80, X7:V1030 tcp packet not allowed by policy
15:38:07 Jan 25 524 Network Notice Web access Request dropped 62.55.239.219, 56718, X1 192.168.1.4, 80, X7:V1030 tcp packet not allowed by policy
15:34:44 Jan 25 524 Network Notice Web access Request dropped 185.224.128.224, 59775, X1 192.168.1.253, 443, X7:V1030 tcp packet not allowed by policy
I've been unable to determine what "policy" is making the packets be dropped. I have excluded the 192.168.1.x subnet (where the phones are) from all security services. I've also gone into the VOIP settings and turned on "Enable SIP Transformations" and "Enable SIP Back-to-Back User Agent (B2BUA) support."
None of this seems to be making any difference. Our ISP/VOIP provider is saying that they're seeing the packets being dropped on our end, but otherwise everything looks fine.
Answers
Did you follow the recommendations provided to you by Webex?
Generally you do NOT want to use SIP Transformations unless specified by the provider, so disable that. Enable Consistent NAT on the same page if you haven't.
You should also check with your ISP if they have SIP ALG enabled on your CPE. Many cable providers have it enabled by default and it can interfere with VoIP systems.
Thanks. Yes, I had looked at that document previously, but we're generally not blocking outbound traffic (beyond app control, content filtering, etc., but I have those all off for the phone subnet), so there wasn't really anything there that applied.
I have turned the SIP transformations back off. Our ISP is also the Webex provider, so things should be set correctly from their end.
I've looked up the blocked IP addresses from the log that I posted earlier, and they're from all over the world. I was assuming the blocks were related to the call problems, but maybe they were supposed to be blocked?
I did run Cisco's connection test utility before we switched over to the new phone system, and it found no problems. The sporadic problems have just come up within the last week. Which kind of makes me think it has nothing to do with the firewall, but that's where the fingers are currently pointing when we asked for support from the Webex provider.