Cisco IP-Phone registration issue with Juniper Firewall
About half a year ago, I have one problem that IP-Phones were not registered to CUCM when I did migration project from Legacy PBX to Cisco IP-Phone.
Only IP-Phones on remote site were failed for registration. On their screens, the message
"Phone not registered"
were shown.
[NW Topology]
CUCM --|MPLS| -- Main Office --|IPSEC-VPN| -- RemoteOffice
* For IPSEC-VPN, both of end device is Juniper firewall.
After several steps of troubleshoot, we found Juniper firewall drops some packets of SCCP. Later on, Cisco TAC also give us same conclusion..
We got a bit confused because for VPN tunnel, policy is configured as permit any any. But TAC said, even those case still some of SCCP is dropped.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB18226
We couldn't use workaround on above link since one of our Juniper Firewall is old one and cannot configure
"unset alg sccp enable"
on that (But it's not confirmed by my, but our firewall engineer, so I'm not sure whether it's true or not).
So we used Cisco routers on both site and create one GRE tunnel between those two Cisco routers. And route all VoIP traffic to that tunnel so that Juniper Firewall cannot see SCCP traffic because it's encaped in GRE.
Only IP-Phones on remote site were failed for registration. On their screens, the message
"Phone not registered"
were shown.
[NW Topology]
CUCM --|MPLS| -- Main Office --|IPSEC-VPN| -- RemoteOffice
* For IPSEC-VPN, both of end device is Juniper firewall.
After several steps of troubleshoot, we found Juniper firewall drops some packets of SCCP. Later on, Cisco TAC also give us same conclusion..
We got a bit confused because for VPN tunnel, policy is configured as permit any any. But TAC said, even those case still some of SCCP is dropped.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB18226
We couldn't use workaround on above link since one of our Juniper Firewall is old one and cannot configure
"unset alg sccp enable"
on that (But it's not confirmed by my, but our firewall engineer, so I'm not sure whether it's true or not).
So we used Cisco routers on both site and create one GRE tunnel between those two Cisco routers. And route all VoIP traffic to that tunnel so that Juniper Firewall cannot see SCCP traffic because it's encaped in GRE.
コメント
コメントを投稿