03-03-2016 12:12 PM - edited 03-10-2019 11:32 PM
Dears,
I have created a pre-auth access-list for cisco ise 1.4, as per the Switch Configuration Required to Support Cisco ISE Functions 2.0, Cisco IP phone is being properly profiled and it Downloads proper access-list i.e permit ip any any , but when I make a call to pstn I hear a one way audio, when I see the switch logs it show me that the RTP has been blocked by default access-list, I have one question that when my DACL is downloaded properly then why the default ACL is interrupting the RTP, also I see the port number 2000 & 2443 is been blocked by default access-list by which phone losses its connection to server,, which are used for keepalive to the CUCM.
Anything I am missing???
Thanks
Solved! Go to Solution.
03-08-2016 01:09 PM
03-04-2016 08:54 AM
Sounds like the dacl is not actually getting applied on the switch port, try posting output of "show auth session int x/x" and "show ip access-list int x/x" when the phone is on, and doesn't work
03-04-2016 11:29 AM
Dear Jan,
here is the output I can see the DACL downloaded but the access-list on the interface is not seen
sh authentication sessions int gig5/3
Interface: GigabitEthernet5/3
MAC Address: 1c1d.862f.2485
IP Address: 10.108.48.13
User-Name: 1C-1D-86-2F-24-85
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-IP-PHONE-TO-CUCM-GATEWAY-56d830e3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AD02F3300005BB7DBA6FB44
Acct Session ID: 0x00005CA4
Handle: 0x7B000C14
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
ASW01#sh ip access-list interface gig5/3
Thanks
03-04-2016 02:22 PM
03-04-2016 09:50 PM
Dear jan,
please find the attached snapshot showing the DACL is valid but as per the below output I can see only the PC and not the Phone on the port ??? I have noticed one thing as soon as the phone registers I am dialing the pstn user the RTP packets flows perfect but after few seconds the pstn user is not able to hear me then when I apply the RTP access-list element ( permit udp any host 10.208.14.1 range 16384 32767) in the default access-list then it works. but the question is why we need to edit the default access-list when things are permitted from ISE.
sh ip device tracking int gig5/3
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
10.208.36.11 c8cb.b80f.3f92 36 GigabitEthernet5/3 INACTIVE
Total number interfaces enabled: 21
Enabled interfaces:
Gi2/1, Gi2/2, Gi2/3, Gi2/4, Gi2/5, Gi2/6, Gi2/7,
Gi2/8, Gi2/9, Gi2/10, Gi2/11, Gi2/13, Gi2/15, Gi2/48,
Gi3/5, Gi3/22, Gi3/24, Gi5/3, Gi6/20, Gi6/22, Gi6/42
Access-list contents
permit udp any host 10.208.5.1 eq 69
permit udp any host 10.208.5.2 eq 69
permit udp any host 10.208.5.1 eq 6969
permit udp any host 10.208.5.2 eq 6969
permit tcp any host 10.208.5.1 eq 8443
permit tcp any host 10.208.5.2 eq 8443
permit tcp any host 10.208.5.1 eq 8080
permit tcp any host 10.208.5.2 eq 8080
permit tcp any host 10.208.5.1 eq 2000
permit tcp any host 10.208.5.2 eq 2000
permit tcp any host 10.208.5.1 eq 2443
permit tcp any host 10.208.5.2 eq 2443
permit tcp any host 10.208.5.1 eq 2445
permit tcp any host 10.208.5.2 eq 2445
permit tcp any host 10.208.5.1 eq 3804
permit tcp any host 10.208.5.2 eq 3804
permit tcp any host 10.208.5.1 eq 5060
permit tcp any host 10.208.5.2 eq 5060
permit udp any host 10.208.5.1 eq 5060
permit udp any host 10.208.5.2 eq 5060
permit tcp any host 10.208.5.1 eq 5061
permit tcp any host 10.208.5.2 eq 5061
permit tcp any host 10.208.5.1 eq 6970
permit tcp any host 10.208.5.2 eq 6970
permit udp any host 10.208.5.1 range 16384 32767
permit udp any host 10.208.5.2 range 16384 32767
permit udp any host 10.208.14.1 range 16384 32767
permit udp any host 10.208.5.1 eq 123
permit udp any host 10.208.5.2 eq 123
permit tcp any host 10.208.14.1 eq 5060
permit udp any host 10.208.14.1 eq 5060
permit tcp any host 10.208.14.1 eq 5061
permit udp any host 10.208.14.1 eq 5061
deny ip any any
03-05-2016 03:43 AM
This is the issue, it should be in there, also the pc is behind the phone yes ? Both should be in there with state active, if they are not DACLS are not applied to the port, as the switch has no knowledge of what ip address is on the port.
Try debugging on device tracking to see if this is the case. Also there are a few options when configuring device tracking you might try.
"ip device tracking probe delay 5" and "ip device tracking use-svi", if you are running a very new switch software, you might also have other newer options.
03-08-2016 10:47 AM
Dear Jan
Thanks for the reply, i uploaded the cisco recommended IOS and the issue was solved.Now i can see both phone as well as PC.
But before when i use to excute the command sh authentication sessions int gig 5/3 it was appearing as below but not with the latest code 3.6.3 it is not appearing as before.
sh authentication sessions int gig5/3
Interface: GigabitEthernet5/3
MAC Address: 1c1d.862f.2485
IP Address: 10.108.49.13
User-Name: 1C-1D-86-2F-24-85
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-IP-PHONE-TO-CUCM-GATEWAY-56d830e3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AD02F3300005BB7DBA6FB44
Acct Session ID: 0x00005CA4
Handle: 0x7B000C14
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
03-08-2016 01:09 PM
What's not the same?
Try using "details" after the command
03-10-2016 12:09 PM
+5 for you thank for replying .
Regards
Jack
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide