Communication between two VPN users

Question

Is there a way to allow direct communication between two VPN users?&nbsp;
&nbsp;I need this allow VOIP CIPC (Cisco IP Communicator) phones to talk directly to each others while connected to the FirePass. Right now when a VPN user using CIPC calls another user also on VPN and using CIPC, the call connects (the Call Manager handles the session connection) but the RTP packets direct from one phone to the other don't make it so there is only silence heard by both parties.&nbsp;
&nbsp;Any suggestions would be appreciated.&nbsp;
&nbsp;Eric&nbsp;

mike_61719 · Answer

Can you perform a trace on the end-point and on the Firepass?

jmcalalang · Answer

Im not sure if this is the same situation I ran into or not, but i was trying to allow two different VPN users (on two different VPN's/VIP) to communicate. I ended up disabling the vlankeyed option and it allowed me to function correctly. I know there is a way to do it in the GUI i just cant remember where it was but here is the CLI: 
&nbsp;  
&nbsp; "F5 VLan Traffic override" 
&nbsp; b db Connection.VlanKeyed disable

eric_brander_27 · Answer

Posted By Mike on 10/28/2011 10:57 AM
&nbsp;
Can you perform a trace on the end-point and on the Firepass?

&nbsp;Mike, I'm not sure what you mean here. A packet capture? The packet captures I've done are inconclusive because they are encrypted traffic between the client and the FirePass. I can't see anything past that. &nbsp;&nbsp;I tried to find info on the VlanKeyed setting but come up short. I don't want to make a setting change like that without knowing the implications. Also, I'd like to allow only specific communications from one VPN client to another so that I limit risk of trojan/worm activity spreading to other VPN users.&nbsp;

jwham20 · Answer

It seems the major change when you disable the Vlankeying  is that it will allow for asymetric traffic.   The System won't drop traffic that left on one vlan, and came back on a different Vlan.   
&nbsp;  
&nbsp; at least that is how I understand it...  if one could call that an understanding...    
&nbsp;  
&nbsp; ----- 
&nbsp; Warning: This message was sent pre-coffee.  The sender does not bear responsibility for any rants/raves/ramblings. 
&nbsp;  
&nbsp; Josh

jmcalalang · Answer

Josh is correct on what it does, if you have a test environment of course i would suggest running it there. In my environment though I only have one vlan, both of my VPN's terminate at VIP's that are on the same subnet, but to get clients to bridge between the two VPN's i had to stop the F5 from dropping the packets. 
&nbsp;  
&nbsp;  i think it actually come down to the f5 has a hidden vlan it uses for routing across the tmm (i forget the name) and when traffic would try to go across that from two different sources (the vips) the F5 would think that traffic coming was bad and dropped my traffic. 
&nbsp;  
&nbsp; Not exactly sure that makes sense to anyone else. =/

Forum Discussion

Communication between two VPN users

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

Welcome to the F5 XC Community User Group

DevCentral Community Guidelines

Installing BIG-IP Next on Nutanix Community Edition

DevCentral Community Ranking Explained

Community Highlights, Week 15 '23