We're facing a very strange issue with multiple organizations, different customers, different MX models,
starting from Friday 25/5/2018 all customers who have Cisco Call Manager (different versions) which have the Call Manager in a city Not Riyadh, and use Cisco Meraki MX for VPN connectivity suddenly lost the ability for the Cisco IP Phones to register to the call Manager from Riyadh City in Saudi Arabia.
the ISP's are different, different connections methods (fiber/DSL), different MX models , same firmware of MX with other branches that are located in Saudi Arabia (other branches are working perfectly fine).
The only two common things are:
1) all clients (organizations) have Meraki MX to connect their branches together as VPN.
2) this issue is happening only in Riyadh City in Saudi Arabia
(again, different ISPs and different connection methods)
Have anyone faced this issue? can anyone guess what could be the reason?
Is this all to the same Call Manager?
Is it using the same back haul provider? For example, in my country me had an issue with users web browsing in half of one of our islands last week. Turns out one of the back haul providers had upgraded a piece of infrastructure, and changed from one vendor to another.
The net result was the MTU was reduced - and this affected every ISP and service provider using this back haul provider.
Traffic to tcp/5060 is being blocked - probably by a firewall.
The phone sends a SYN. Call manager sends a SYN ACK back. The phone should transmit an ACK back - but it never does. This suggests that the phone never got the SYN ACK - or the ACK response was filtered.
My guess is the phone never got the SYN ACK - because something between the packet capture point and the phone blocked it.
From here you could try changing the configuration to not use tcp/5060, change to using a 100% encrypted connection, or do more packet captures to isolate the point where the SYN ACK goes "missing".
When I Google "Riyadh blocking SIP" I see Saudi Arabia has a habit of blocking SIP traffic.
I would look at converting everything to run over encrypted channels (such as Meraki AutoVPN) - or stop using port 5060.
BTW, from Meraki dashboard, the SIP traffic (5060) seems to reach from Riyadh to HQ in Jeddah as per below ..
am I missing something?
I think the Meraki portal is showing the SYN part of the conversation - but the traffic capture definitely shows tcp/5060 was not completing its setup. Something was preventing the TCP connection from forming (probably a firewall).