Z3 pings some external sites, not others

MacAodha
Comes here often

Z3 pings some external sites, not others

I have a Z3 device, local ISP is Spectrum cable.  I've discovered that I cannot ping certain public hosts.  For example, I can ping google.com, but not voip.ms.  I can ping just fine from a corporate laptop over a VPN tunnel, or if I bypass the Z3 and connect a laptop to the cable modem direcly.  However, to certain hosts the ping fails, whether I am on a non-VPN device behind the Z3, or using the ping utility on the Z3 itself.

 

For some reason I'm getting one-way audio on my SIP trunk.  Inbound packets come in fine, but on the outbound leg (from a device on my local network to a remote number) the RTP stream does not seem to be getting out.

 

Oh, by the way I have an MX device located in another country with a different ISP and I can ping from there with no problem at all.

 

My hope is that these failed pings might be a symptom of whatever is affecting communication with the outside world.  Other protocols (e.g. web pages) seem to work fine, even to the same hosts where pings are failing.  Thanks!

19 Replies 19
MacAodha
Comes here often

.....

PhilipDAth
Kind of a big deal
Kind of a big deal

Firewall rules on the Z3?

 

If you click on a client trying to use VoIP, does it show any policies or rules applied in the bottom left-hand corner?

 

PhilipDAth_0-1620163937428.png

 

MacAodha
Comes here often

I have everything left at default:

MacAodha_0-1620175732158.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you "whitelist" the device trying to do VoIP does it start working?

MacAodha
Comes here often

@PhilipDAth my understanding from below is that everything is whitelisted, correct?

MacAodha_0-1620175875095.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

That doesn't show the policy assigned to a client.  You need to go into Network-Wide/Clients, click on the client, and look in the bottom left hand corner (like my screenshot).

 

You can also follow this guide to "whitelist" or apply "allow" to override everything for the client to make it is not a restriction.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Block_Listing_and_All... 

Inderdeep
Kind of a big deal
Kind of a big deal

@MacAodha : Check if below link helps 

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/VoIP_on_Cisco_Mera...

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
MacAodha
Comes here often

Hi @Inderdeep - Since this is a simple home network, I haven't bothered with configuring multiple VLANs, and I have just the one uplink.  Things like traffic shaping have never been necessary in the past, and it seems like the failed ping tests are indicative of something that needs to be taken care of before worrying about prioritizing packets.  That said, I do have traffic shaping set to the default for this device:

MacAodha_0-1620176324452.png

 

I did try disabling traffic shaping altogether with no change.

Inderdeep
Kind of a big deal
Kind of a big deal

@MacAodha : Can you do the packet capture please ?

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you running any security software on your device that could be blocking the traffic, such as a third party software firewall?

MacAodha
Comes here often

@PhilipDAth I'm getting similar results from multiple Windows hosts on my network as well as the Cisco router that I'm using as a voice gateway/CUBE.  It's not set up to do any routing of its own other than communicating with the network switch via a GigabitEthernet interface.  To rule out weird behavior from whatever security stuff is running on the Windows servers, let's just look at what we see on the CUBE.  Thanks for pointing out the device policy; here's what I have for the CUBE:

MacAodha_0-1620177033407.png

Here are three ping tests from that device - one to an internal host, 100% successful, one to Google's DNS server 8.8.8.8, which seems to be dropping every other ping (from Windows hosts none of those pings are dropped) and one to voip.ms, the service I'm using, where all pings are dropped (same thing happens from Windows hosts):

MacAodha_1-1620177228879.png

 

 

Inderdeep
Kind of a big deal
Kind of a big deal

@MacAodha : Check this video it surely help you out 

https://www.youtube.com/watch?v=G57e4oQsHaw

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
MacAodha
Comes here often

@Inderdeep Thanks, I'll give that a try!  Actually, one of his suggestions (setting up the VoIP provider host connectivity test) was something that I thought of and tried, and now the chart is showing 100% loss for that IP address 😞

Bruce
Kind of a big deal

One-way audio can often be a symptom of asymmetric routing. e.g. audio towards you is working via your VPN from the one device, but your reverse audio is not taking the same path and is being dropped/blocked by a firewall because of that.

MacAodha
Comes here often

@Bruce I hear ya, but what seems counterintuitive to me is that the packets get in past the NAT firewall from the outside, but the audio from my network out to the PSTN isn't getting there.

But what really has me baffled is how I can connect a laptop to my cable modem and everything pings fine.  If I then connect my Z3 to that same cable modem, wait for it to sync up, then ping from the appliance itself, it works to some addresses and not to others.  Meanwhile almost everything else works fine; I even managed to get this message out.

Bruce
Kind of a big deal

Are you doing a full tunnel or split tunnel from the Z3 back to the MX? What routes are being installed into the Z3 routing table for the VPN? (Security & SD-WAN -> Route table)

MacAodha
Comes here often

@Bruce No tunnel at all between the Z3 and the MX.  I only mentioned the MX to say that a similar device in a different location can successfully ping these hosts that for some reason the Z3 can't.  For now, all I want the Z3 to do is pretend that it can do no more and no less than an off-the-shelf combo router/WAP/4-port switch.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you able to plug directly into the Spectrum ISP router and see if the same issue happens?

MacAodha
Comes here often

@PhilipDAth If I plug a laptop directly into the Spectrum cable modem I can ping everything with no problem.  With the Z3's WAN port plugged into that same modem, we see the dropped pings.  I can access web pages via http under the same conditions so I'm really baffled why we see http traffic working with no problem but ICMP fails to the exact same IP addresses.

Get notified when there are additional replies to this discussion.