I have a Z3 device, local ISP is Spectrum cable. I've discovered that I cannot ping certain public hosts. For example, I can ping google.com, but not voip.ms. I can ping just fine from a corporate laptop over a VPN tunnel, or if I bypass the Z3 and connect a laptop to the cable modem direcly. However, to certain hosts the ping fails, whether I am on a non-VPN device behind the Z3, or using the ping utility on the Z3 itself.
For some reason I'm getting one-way audio on my SIP trunk. Inbound packets come in fine, but on the outbound leg (from a device on my local network to a remote number) the RTP stream does not seem to be getting out.
Oh, by the way I have an MX device located in another country with a different ISP and I can ping from there with no problem at all.
My hope is that these failed pings might be a symptom of whatever is affecting communication with the outside world. Other protocols (e.g. web pages) seem to work fine, even to the same hosts where pings are failing. Thanks!
Firewall rules on the Z3?
If you click on a client trying to use VoIP, does it show any policies or rules applied in the bottom left-hand corner?
@MacAodha : Check if below link helps
That doesn't show the policy assigned to a client. You need to go into Network-Wide/Clients, click on the client, and look in the bottom left hand corner (like my screenshot).
You can also follow this guide to "whitelist" or apply "allow" to override everything for the client to make it is not a restriction.
Hi @Inderdeep - Since this is a simple home network, I haven't bothered with configuring multiple VLANs, and I have just the one uplink. Things like traffic shaping have never been necessary in the past, and it seems like the failed ping tests are indicative of something that needs to be taken care of before worrying about prioritizing packets. That said, I do have traffic shaping set to the default for this device:
I did try disabling traffic shaping altogether with no change.
@PhilipDAth I'm getting similar results from multiple Windows hosts on my network as well as the Cisco router that I'm using as a voice gateway/CUBE. It's not set up to do any routing of its own other than communicating with the network switch via a GigabitEthernet interface. To rule out weird behavior from whatever security stuff is running on the Windows servers, let's just look at what we see on the CUBE. Thanks for pointing out the device policy; here's what I have for the CUBE:
Here are three ping tests from that device - one to an internal host, 100% successful, one to Google's DNS server 188.8.131.52, which seems to be dropping every other ping (from Windows hosts none of those pings are dropped) and one to voip.ms, the service I'm using, where all pings are dropped (same thing happens from Windows hosts):
@PhilipDAth If I plug a laptop directly into the Spectrum cable modem I can ping everything with no problem. With the Z3's WAN port plugged into that same modem, we see the dropped pings. I can access web pages via http under the same conditions so I'm really baffled why we see http traffic working with no problem but ICMP fails to the exact same IP addresses.
@Inderdeep Thanks, I'll give that a try! Actually, one of his suggestions (setting up the VoIP provider host connectivity test) was something that I thought of and tried, and now the chart is showing 100% loss for that IP address 😞
One-way audio can often be a symptom of asymmetric routing. e.g. audio towards you is working via your VPN from the one device, but your reverse audio is not taking the same path and is being dropped/blocked by a firewall because of that.
@Bruce I hear ya, but what seems counterintuitive to me is that the packets get in past the NAT firewall from the outside, but the audio from my network out to the PSTN isn't getting there.
But what really has me baffled is how I can connect a laptop to my cable modem and everything pings fine. If I then connect my Z3 to that same cable modem, wait for it to sync up, then ping from the appliance itself, it works to some addresses and not to others. Meanwhile almost everything else works fine; I even managed to get this message out.
Are you doing a full tunnel or split tunnel from the Z3 back to the MX? What routes are being installed into the Z3 routing table for the VPN? (Security & SD-WAN -> Route table)
@Bruce No tunnel at all between the Z3 and the MX. I only mentioned the MX to say that a similar device in a different location can successfully ping these hosts that for some reason the Z3 can't. For now, all I want the Z3 to do is pretend that it can do no more and no less than an off-the-shelf combo router/WAP/4-port switch.