See below for a TL:DR.
Some time back, we acquired a business that uses a cloud hosted PBX and Polycom VVX handsets. Those handsets don't support STUN, making NAT more challenging. The business previously used an Edgemarc 4550 as their edge device / SIP ALG which worked well. Through the infinite wisdom of management, the decision was made to standardize the network without touching their voice solution. So, standard, but not. We don't support any other sites with a cloud PBX.
The network edge device is now a Cisco 4331 with two DMVPN WAN tunnels and two GRE tunnels to ZScaler for Internet access. The transport interfaces are in separate front door VRFs. We do not NAT Internet traffic on the way to ZScaler. They handle NAT and have some sort of SIP ALG that appears to function.
TL:DR: We are having problems with jitter and poor voice quality for a site using a cloud hosted PBX. I've narrowed the jitter down to ZScaler, so I've started testing a ZScaler bypass for voice using PBR + ZBF + NAT + SIP ALG on the 4331. The router is currently running 03.16.07b.S.155-3.S7b which will get updated soon. I can get one phone to boot, provision from the cloud ftp server and register with the cloud PBX, but subsequent test phones fail to register. I can place and take calls on the registered phone, but not from any others. I'm not sure if my issue is configuration, a bug, general SIP ALG shittiness, or some combination of those. Any help or suggestions appreciated.
Here's a sanitized configuration:
vrf definition INET1 ! address-family ipv4 exit-address-family class-map type inspect match-any outside-to-self-class match access-group name outside-self-acl class-map type inspect match-any self-to-outside-class match access-group name outside-self-acl class-map type inspect match-any fw-class match protocol sip match protocol ftp match protocol udp match protocol tcp match protocol icmp policy-map type inspect inside-to-outside-policy class type inspect fw-class inspect class class-default drop log policy-map type inspect self-to-outside-policy class type inspect self-to-outside-class pass class class-default drop log policy-map type inspect outside-to-self-policy class type inspect outside-to-self-class pass class class-default drop log zone-pair security inside-to-outside source inside destination outside service-policy type inspect inside-to-outside-policy zone-pair security outside-to-self source outside destination self service-policy type inspect outside-to-self-policy zone-pair security self-to-outside source self destination outside service-policy type inspect self-to-outside-policy interface GigabitEthernet0/0/0 description LAN ip address 10.4.0.1 255.255.255.0 ip nat inside zone-member security inside ip policy route-map voice-test interface GigabitEthernet0/0/1 description ISP1 vrf forwarding INET1 ip address 1.1.1.2 255.255.255.248 ip nat outside zone-member security outside interface Tunnel100 description ZScaler DC1 ip address 172.16.2.2 255.255.255.252 zone-member security inside ip tcp adjust-mss 1300 tunnel source GigabitEthernet0/0/1 tunnel destination 1.2.3.4 tunnel vrf INET1 ip nat inside source list voice-test-acl interface GigabitEthernet0/0/1 overload ip access-list extended voice-test-acl remark Deny to Internal deny ip 10.4.0.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 10.4.0.0 0.0.0.255 172.16.0.0 0.15.255.255 remark Test Phones permit ip host 10.4.0.131 any permit ip host 10.4.0.17 any ip access-list extended outside-self-acl remark Permit IPSEC permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp remark Permit GRE permit gre any any remark Permit ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any ttl-exceeded route-map voice-test permit 5 match ip address voice-test-acl set vrf INET1
No comments:
Post a Comment