[cisco-voip] intercluster trunk over IPSec VPN

Peter Slow peter.slow at gmail.com
Tue Feb 14 12:57:49 EST 2012 

"When a phone in one site tries to call another phone in the other site
there is a noticeable gap before actual conversation is heard over the
phone. Once conversation starts, there is no delay or break in audio. Has
anyone faced this issue?"

I saw you state that you were using an ICT, but i've seen discussions in
this thread pertaining to SIP as well. You also said the device on the
other end is a CME. You need H.225 Fast Connect (Fast Start) or SIP Early
Media. I haven't seen anyone ask you if these were configured yet, forgive
me if they have.

That being said, can you please confirm that when you said ICT you meant an
H.323 GW? (Since you shouldnt really have an actual ICT pointing at a CME,
unless something weird changed lately)
...Do you have the same call establishment problems no matter which
direction the calls are made in? I'd expect your CUCME to being doing fast
start by default unless you turned it off.

-Peter


On Tue, Feb 14, 2012 at 12:45 PM, Abebe Amare <abucho at gmail.com> wrote:

> Hi Wes,
>
> Here is how the devices involved are connected
>
> CUCM->6509->ASA->Packetshaper->2821->VSAT Link->Internet<-ASA<-CUCME
>
> I do not have control over the CUCME on the remote side for the moment.
> The VPN tunnels terminate at the ASA on each side. I am not comfortable
> with configuring QoS on the ASA, that is why I configured on the 2821. And
> since the 2821 can not see the pre-tunnel traffic, I decided to put the
> traffic passing over the tunnel in LLQ.
> The VSAT link is used for basic Internet browsing. The speed of the VSAT
> connection is 768 kbps and we do take slow TCP connection as acceptable. We
> use IronPort web security appliance together with Packetshaper to tightly
> control what goes on the link.
>
> I have collected some RTP streams using wireshark and it does not show
> excessive jitter, delay or packet loss in the RTP analysis which seems to
> contradict what I shared about the RTP statistics directly from the phone.
> How do I find out if the call setup signalling is delayed?
>
> regards,
>
> Abebe
>
>
>
> On Tue, Feb 14, 2012 at 7:15 PM, Wes Sisk <wsisk at cisco.com> wrote:
>
>> My QoS is a bit rusty as it's time to re-certify.  That said "put the VPN
>> traffic in LLQ" doesn't sound quite right.  It is *voice* that needs to be
>> in LLQ.
>>
>>
>> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/netstruc.html#wp1044413
>>
>> Otherwise, it might be beneficial to conduct some tests to better
>> understand the network.  What traffic flows over the VSAT link?   Is the
>> call setup signaling delayed?  Is there excessive delay at the beginning of
>> any TCP/UDP stream or is that unique to the UDP/RTP voice traffic?
>>
>> Regards,
>> Wes
>>
>>
>> On Feb 14, 2012, at 1:23 AM, Abebe Amare wrote:
>>
>> Hi Wes, thanks a lot for your detail explanation, it is very educational.
>>
>> I should have stated earlier that the Internet connection is a VSAT link.
>> Here is a ping output from the CUCM to the far side CUCME,
>>
>> admin:utils network ping 192.168.100.1
>> PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
>> 64 bytes from 192.168.100.1: icmp_seq=0 ttl=254 time=577 ms
>> 64 bytes from 192.168.100.1: icmp_seq=1 ttl=254 time=579 ms
>> 64 bytes from 192.168.100.1: icmp_seq=2 ttl=254 time=587 ms
>> 64 bytes from 192.168.100.1: icmp_seq=3 ttl=254 time=584 ms
>>
>> --- 192.168.100.1 ping statistics ---
>> 4 packets transmitted, 4 received, 0% packet loss, time 3036ms
>> rtt min/avg/max/mdev = 577.892/582.386/587.697/4.048 ms, pipe 2
>>
>> I have configured QoS on the gateway routers to put the VPN traffic in
>> LLQ with reserved bandwidth. What other mechanisms do you suggest to
>> improve the voice quality?
>>
>> best regards,
>>
>> Abebe
>>
>> On Mon, Feb 13, 2012 at 6:06 PM, Wes Sisk <wsisk at cisco.com> wrote:
>>
>>> Hi Abebe,
>>>
>>> Those are pretty bad.  These are of particular concern:
>>> Rcvr Codec  G729
>>> Sender Codec G729
>>> Rcvr size    20ms
>>> sender size  20ms
>>> Rcvr Packets 476
>>> sender packets 709
>>> Avg Jitter     31
>>> Max Jitter    185
>>> Rcvr discarded 1
>>> Cumulative Conceal ratio 0.0319
>>> Max Conceal ratio 0.0446
>>> Conceal sec  5
>>> Severly conceal sec 1
>>>
>>> I interpret this as:
>>> G.729 has a lower MOS so we're starting with less audio quality.  The
>>> phone sent 709 packets but received 476 packets.  At 20msec packetization
>>> the phone has sent 14.1 seconds of audio but received only 9.5 seconds of
>>> audio.  The phone cannot begin counting until the first RTP packet arrives
>>> so this may account for an additional gap between these metrics and actual
>>> user experience.  The tx/rx is normally very similar. Either there was a
>>> delay in signaling negotiating bidirectional audio or this phone first
>>> started receiving RTP packets ~5 seconds into the call.  After that Jitter
>>> of 31 is not great but would generally still be intelligible audio.  Max
>>> jitter of 185 is pretty much impossible to recover.  Each packet should
>>> contain 20msec of audio.  At least one packet arrived 185msec late.
>>>
>>> Recvr discarded 1 means the phone discarded one rtp packet it received.
>>>  Discard can happen for several reasons but with max jitter 185 it is very
>>> likely the packet was just too late to be used.  When a 20msec slice of
>>> audio is unavailable the phone attempts to conceal that in the audio
>>> stream.  This leads to next stats:
>>> Conceal sec  5
>>> Severly conceal sec 1
>>>
>>> For 5 seconds the phone used the g.729 packet loss concealment algorithm
>>> to try and mask the absence of packets.  This is going to be silence,
>>> noise, or otherwise unintelligible audio to the user.
>>>
>>> It looks like something is indeed inhibiting RTP packet flow toward this
>>> phone.  A packet capture will show more details but it's not particularly
>>> necessary from the phone/application perspective.  The underlying packet
>>> network needs some improvements to delivery adequate voice quality.
>>>
>>> /wes
>>>
>>> On Feb 13, 2012, at 9:31 AM, Abebe Amare wrote:
>>>
>>> Hi Wes,
>>>
>>> Here is the call statistics from the phone for one call
>>>
>>> Rcvr Codec  G729
>>> Sender Codec G729
>>> Rcvr size    20ms
>>> sender size  20ms
>>> Rcvr Packets 476
>>> sender packets 709
>>> Avg Jitter     31
>>> Max Jitter    185
>>> Rcvr discarded 1
>>> Rcvr lost packets 0
>>> Avg MOS LQK   0.0
>>> Min MOS LQK   0.0
>>> Max MOS LQK   0.0
>>> Cumulative Conceal ratio 0.0319
>>> Max Conceal ratio 0.0446
>>> Conceal sec  5
>>> Severly conceal sec 1
>>>
>>> Is the jitter too high?
>>>
>>> regards,
>>>
>>> Abebe
>>>
>>> On Fri, Feb 10, 2012 at 8:32 PM, Lelio Fulgenzi <lelio at uoguelph.ca>wrote:
>>>
>>>> I was surprised to find that SLA is not included in the IPBase module
>>>> of v15, nor in the UC module. You need the Data module.
>>>>
>>>> Sent from my iPhone...
>>>>
>>>> "There's no place like 127.0.0.1"
>>>>
>>>> On Feb 10, 2012, at 12:20 PM, Dennis Heim <Dennis.Heim at cdw.com> wrote:
>>>>
>>>> Maybe a good place for some IP SLA monitoring.****
>>>>
>>>> ** **
>>>>
>>>> Dennis Heim
>>>> Senior Engineer (Unified Communications)
>>>> CDW  Advanced Technology Services
>>>> 10610 9th Place
>>>> Bellevue, WA 98004
>>>>
>>>> 425.310.5299 Single Number Reach (WA)****
>>>>
>>>> 317.569.4255 Single Number Reach (IN)
>>>> 317.569.4201 Fax
>>>> dennis.heim at cdw.com*
>>>> *cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>
>>>> ****
>>>>
>>>> ** **
>>>>
>>>> *From:* cisco-voip-bounces at puck.nether.net [mailto:
>>>> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Wes Sisk
>>>> *Sent:* Friday, February 10, 2012 10:36 AM
>>>> *To:* Abebe Amare
>>>> *Cc:* cisco voip
>>>> *Subject:* Re: [cisco-voip] intercluster trunk over IPSec VPN****
>>>>
>>>> ** **
>>>>
>>>> most likely still packet throughput issues. packets may be late to the
>>>> point of discarded. they would not technically be lost in that case.***
>>>> *
>>>>
>>>> ** **
>>>>
>>>> this would manifest as high jitter.  setup the initial all and press
>>>> the "i" or "?" button twice on the phone to see call statistics.  beyond
>>>> that take a packet capture.  wireshark has some decent RTP analysis tools
>>>> built in.****
>>>>
>>>> ** **
>>>>
>>>> /wes****
>>>>
>>>> ** **
>>>>
>>>> On Feb 10, 2012, at 6:41 AM, Abebe Amare wrote:****
>>>>
>>>>
>>>> Dears, thank you all for the excellent support
>>>>
>>>> I managed to keep the VPN tunnel up be sending periodic ping but the
>>>> problem still persist. Bandwidth is reserved for at least four calls
>>>> (taking into consideration VPN overhead) on a Packetshaper and the call
>>>> quality is good mid-conversation. But it is is clipping the first few
>>>> seconds. I dont see any packet loss n the CMR records for a test call. What
>>>> should I be looking for?
>>>>
>>>> thanks in advance
>>>>
>>>> Abebe
>>>>
>>>>
>>>> ****
>>>>
>>>> On Thu, Feb 9, 2012 at 5:57 PM, Wes Sisk <wsisk at cisco.com> wrote:****
>>>>
>>>> TCP keepalives are only used while a call is active.****
>>>>
>>>> ** **
>>>>
>>>> When no call is active there is no active h323/h225/h245 signaling, tcp
>>>> session, or udp.  The only exception is when gatekeeper is used. Then gk
>>>> registration messages are maintained.  Those are over UDP between the h323
>>>> ep and gk.****
>>>>
>>>> ** **
>>>>
>>>> for a static ICT defined between two CUCM clusters there is no network
>>>> activity without an active call.****
>>>>
>>>> ** **
>>>>
>>>> For the duration of an active call the tcp keepalive parameter will
>>>> help.****
>>>>
>>>> ** **
>>>>
>>>> regards,****
>>>>
>>>> wes****
>>>>
>>>> ** **
>>>>
>>>> On Feb 9, 2012, at 8:13 AM, Adam Frankel (afrankel) wrote:****
>>>>
>>>> ** **
>>>>
>>>> Options Ping was added in 8.5(1).
>>>>
>>>> The parameter "Allow TCP KeepAlives For H323 " should take care of this
>>>> for H323 ICT.
>>>>
>>>> -Adam
>>>>
>>>> ****
>>>>  ------------------------------
>>>>
>>>> *From:* Abebe Amare <abucho at gmail.com> <abucho at gmail.com>
>>>> *Sent:* Thu, Feb 09, 2012 4:52:50 AM
>>>> *To:* Ryan Ratliff <rratliff at cisco.com> <rratliff at cisco.com>
>>>> *CC:* cisco voip <cisco-voip at puck.nether.net><cisco-voip at puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] intercluster trunk over IPSec VPN
>>>>
>>>>
>>>> ****
>>>>
>>>> Hi Ryan,
>>>>
>>>> The CUCM version is 6.1.3.1000-16. Is the SIP options ping parameter
>>>> available in this version? Where would you enable it if it is available?
>>>>
>>>> thanks in Advance,
>>>>
>>>> Abebe****
>>>>
>>>> On Wed, Feb 8, 2012 at 8:07 PM, Ryan Ratliff <rratliff at cisco.com>
>>>> wrote:****
>>>>
>>>> What about a SIP trunk with options ping enabled? ****
>>>>
>>>> ** **
>>>>
>>>> -Ryan****
>>>>
>>>> ** **
>>>>
>>>> On Feb 8, 2012, at 7:05 AM, Abebe Amare wrote:****
>>>>
>>>>
>>>> Hi Dennis,
>>>>
>>>> Configuring a persistent L2L tunnel proved to be very elusive. I
>>>> settled for running a periodic ping scheduled to keep the tunnel running.
>>>>
>>>> Thanks for your help
>>>>
>>>> Abebe****
>>>>
>>>> On Tue, Feb 7, 2012 at 6:16 PM, Dennis Heim <Dennis.Heim at cdw.com>
>>>> wrote:****
>>>>
>>>> I think you answered your own question. IPSEC tunnel’s take time to
>>>> bring up. Maybe you could tweak some of the VPN negotiating parameters, or
>>>> create a separate L2 tunnel profile/group just for your voice that is
>>>> permanent and does not have an inactivity timer.****
>>>>
>>>>  ****
>>>>
>>>>  ****
>>>>
>>>> Dennis Heim
>>>> Senior Engineer (Unified Communications)
>>>> CDW  Advanced Technology Services
>>>> 10610 9th Place
>>>> Bellevue, WA 98004
>>>>
>>>> 425.310.5299 Single Number Reach (WA)****
>>>>
>>>> 317.569.4255 Single Number Reach (IN)
>>>> 317.569.4201 Fax
>>>> dennis.heim at cdw.com*
>>>> *cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>
>>>> ****
>>>>
>>>>  ****
>>>>
>>>> *From:* cisco-voip-bounces at puck.nether.net [mailto:
>>>> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Abebe Amare
>>>> *Sent:* Tuesday, February 07, 2012 4:10 AM
>>>> *To:* cisco voip
>>>> *Subject:* [cisco-voip] intercluster trunk over IPSec VPN****
>>>>
>>>>  ****
>>>>
>>>> Dears,
>>>>
>>>> I have configured an Inter-Cluster trunk from CUCM to another site with
>>>> CUCME. There is an IPSec L2L VPN terminating at ASA 5500 firewall on both
>>>> ends
>>>>
>>>> CUCM --->ASA 5540--->Internet <---ASA 5510<---CUCME
>>>>
>>>> On the ASA,the IPSec tunnel is terminated after 30 minute of inactivity
>>>> (default) which is causing a problem. When a phone in one site tries to
>>>> call another phone in the other site there is a noticeable gap before
>>>> actual conversation is heard over the phone. Once conversation starts,
>>>> there is no delay or break in audio. Has anyone faced this issue?
>>>>
>>>> best regards,
>>>>
>>>> Abebe****
>>>>
>>>> ** **
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip****
>>>>
>>>> ** **
>>>>
>>>>
>>>>
>>>>
>>>> ****
>>>>
>>>> _______________________________________________****
>>>>
>>>> cisco-voip mailing list****
>>>>
>>>> cisco-voip at puck.nether.net****
>>>>
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip****
>>>>
>>>> ** **
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip****
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120214/44fd2c99/attachment.html>

More information about the cisco-voip mailing list