Introduction
This document describes a one-way audio problem seen in IOS-XE routers when the Zone-based Firewall (ZBF) is used, this problem affects the inbound and outbound calls for the Foreign eXchange Office (FXO) router ports as soon as the ZBF is in place.
The main intention of this document is to explain why this problem happens and provide you with the solution required to force the ZBF to allow the voice calls to work properly and with bi-directional audio communication for the FXO router ports.
Prerequisites
Requirements
Cisco recommends that you have knowledge of Cisco ZBF configuration in IOS-XE routers.
Components Used
The information in this document is based on these software and hardware versions:
- Integrated Services Routers (ISR G2)
- IOS-XE 3S
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Problem: Troubleshoot One-Way Audio Problems In FXO Ports On IOS-XE Routers When Zone Based Policy Firewall Is Configured
One-way audio is experienced on inbound and outbound calls in routers with FXO ports as soon as the ZBF is configured in the router. Once you remove the ZBF zones from all of the router interfaces, then the one-way audio issue disappears.
Unfortunately, every time this issue happens, the ZBF does not display any syslog message that indicates or confirms why the voice traffic is dropped by the ZBF. Even though you try to force the ZBF to log whatever packet drop with any of these options, you don't see any syslog drop message:
Step 1. You can enable the drop log at the end of each ZBF policy-map within the last class class-default:
policy-map type inspect POLICY_INSIDE_TO_SELF
class type inspect CMAP_ZBFW_RFC_1918
pass
class type inspect CMAP_ZBFW_ALL_PROTOCOLS
inspect
class class-default
drop log
OR
Step 2. You can enable the log dropped-packets within the global ZBF parameter map:
parameter-map type inspect global
log dropped-packets
You can try to resolve this one-way audio communication problem if applies the next ZBF configuration changes, but unfortunately, it won't work at all:
- By configure inspect and pass action rules that allows the voice traffic from the inside to the outside zone.
- By configure inspect and pass action rules that allows the voice traffic from the outside to the inside zone.
- By configure inspect and pass action rules that allows the voice traffic from the outside to the self-zone and vice versa.
- By configure inspect and pass action rules that allows the voice traffic from the inside to the self-zone and vice versa.
- By configure inspect and pass action rules that allows the voice traffic from the inside to the inside zone.
Solution
In order to avoid the ZBF to drop the voice traffic related to the FXO router ports, you need to assign all of the service-engine router interfaces that are in the Status/Protocol UP state, to the INSIDE ZBF zone:
interface Service-Engine0/1/0
zone-member security INSIDE
interface Service-Engine0/2/0
zone-member security INSIDE
Once the router service-engine interfaces in UP status/protocol state are assigned to the INSIDE zone, then the one-way audio problem through the ZBF is finally resolved.
Example 1
In this IOS-XE ZBF implementation, confirmed one-way audio issues for the Inbound and outbound phone calls from the LAN network to the PSTN, after assigned the service-engine interfaces in UP state to the ZONE_INSIDE zone, the one-way audio issue was finally resolved:
R1#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 64.100.0.10 YES NVRAM up up
GigabitEthernet0/0/1 unassigned YES NVRAM up up
Gi0/0/1 192.168.10.1 YES NVRAM up up
GigabitEthernet0/0/2 unassigned YES NVRAM administratively down down
Service-Engine0/1/0 unassigned YES NVRAM up up
Service-Engine0/2/0 unassigned YES unset up up
Vlan1 unassigned YES unset administratively down down
interface Service-Engine0/1/0
zone-member security ZONE_INSIDE
interface Service-Engine0/2/0
zone-member security ZONE_INSIDE
R1# show zone security
zone self
Description: System defined zone
zone ZONE_INSIDE
Member Interfaces:
GigabitEthernet0/0/1
Service-Engine0/1/0
Service-Engine0/2/0
zone ZONE_OUTSIDE
Member Interfaces:
GigabitEthernet0/0/0
Example 2
In this IOS-XE ZBF implementation, confirmed one-way audio issues for the Inbound and outbound phone calls from the LAN network to the PSTN, after assigned the service-engine interfaces in UP state to the Trusted zone, the one-way audio issue was finally resolved:
R2# show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 172.16.1.1 YES NVRAM up up
Gi0/0/1 64.100.0.10 YES NVRAM up up
Service-Engine0/1/0 unassigned YES unset up up
Service-Engine0/4/0 unassigned YES unset up up
GigabitEthernet0 unassigned YES NVRAM administratively down down
Loopback0 unassigned YES unset up up
Vlan1 unassigned YES unset administratively down down
interface Service-Engine0/1/0
zone-member security Trusted
interface Service-Engine0/4/0
zone-member security Trusted
R2#show zone security
zone self
Description: System defined zone
zone Trusted
Member Interfaces:
GigabitEthernet0/0/0
Service-Engine0/1/0
Service-Engine0/4/0
zone Untrusted
Member Interfaces:
Gi0/0/1
Related Bugs
CSCuu86175 CUBE on XE based platforms: Calls may fail with ZBFW Enabled
CSCuh55237 DOC : ASR doc should reflect 'ZBFW not interoperable with CUBE-SP'
Related Information