
Issue Description
The customer uses USG2210 and USG2110 as the network gateways, and the service is VoIP phone.But he meets a issue like that the person in HQ can hear the branch voice,but the branch can’t hear the HQ voice.

Handling Process
(1) Check the basic route configuration, I use the command “ping” to test the network route, and find the network is normal.
(2) To check whether VoIP service uses multicenter protocol and the USG configuration. After analyze the configuration of two firewalls, I find that there isn’t any NAT configuration. So the NAT ALG feature doesn’t need be configured.
(3) After the above analyze and check, I find that the route and NAT ALG configuration is correct. And then I think that whether some VoIP data packets are dropped in the firewalls. So I tell customer to help me doing a call test, at the same time collect the firewall sessions in the 2 devices. After analyze the sessions, I find that the data packets are forwarded by the firewalls, there isn't packets drop. Some sessions as following:
Branch firewall sessions:
[Gribbles-pen]display firewall session table verbose high-priority global 10.29.32.100
udp,
10.29.32.100:21009<--x.29.18.95:21015
trust<--untrust, Receive interface: Tunnel1
Send interface: Vlanif10, Next-hop: 10.29.32.100
tag: 0x1080, State: 0x58, ttl: 00:02:00 left: 00:01:59 VpnId:0
InTotalPkt:8, InTotalByt:948, OutTotalPkt:8, OutTotalByt:
udp,
10.29.32.100:21008-->x.29.18.95:21014
trust-->untrust, Receive interface: Vlanif10
Send interface: Tunnel1, Next-hop: 172.29.18.95
tag: 0x11080, State: 0x58, ttl: 00:02:00 left: 00:02:00 VpnId:0
InTotalPkt:855, InTotalByt:68400, OutTotalPkt:863, OutTotalByt:69040
HQ firewall session:
[Gribble-Tecna-HQ]display firewall session table verbose destination global x.29.18.95
12:11:09 2013/11/27
Current Total Sessions : 3
udp VPN:public --> public
Zone: untrust--> trust TTL: 00:02:00 Left: 00:01:59
Interface: Vlanif21 NextHop: 1.1.1.2 MAC: 00-24-a8-3a-cb-00
<--packets:476 bytes:38192 -->packets:477 bytes:38188
10.29.32.100:21008-->x.29.18.95:21014
[Gribble-Tecna-HQ]display firewall session table verbose destination global 10.29.32.100
12:11:58 2013/11/27
Current Total Sessions : 3
udp VPN:public --> public
Zone: trust--> untrust TTL: 00:02:00 Left: 00:01:58
Interface: Tunnel11 NextHop: 10.29.32.100 MAC: 00-00-00-00-00-00
<--packets:14 bytes:1616 -->packets:16 bytes:1896
x.29.18.95:21015-->10.29.32.100:21009
(4) As per the above VoIP sessions which collected from the 2 firewalls, when the call test , the count of data packets from branch phone to HQ phone is much more than the count from HQ phone to branch phone. And for the one session in the 2 firewall, the data packets are nearly the same. So the firewalls don’t drop any packets.
According to the above analysis, the issue root cause maybe is the HQ phone has some problem, and then the phone sends a few packets to the branch phone. So that the branch side can’t hear the HQ voice.

Root Cause
According to the issue point, in the network layer, the following reasons maybe bring about the issue:
(1) The route of HQ to branch is incorrect, especially, the VoIP service maybe uses the multicenter protocol, it is possible that there are some route missing;
(2) Maybe the NAT feature is used in firewall, but the NAT ALG feature isn't enabled.

Suggestions
Solution:
As customer's feedback, the root cause is the HQ phone is broken, the customer is going to change it or repair it. The issue isn't relationship with the firewall device.
Suggestions:
The firewall is the middle network device, under the complex service condition; we need to understand the service feature and principle. This will help us to solve the issue.