question

SydneyMarihoho-9571 avatar image
2 Votes"
SydneyMarihoho-9571 asked GarySmith-1402 commented

What would cause MS Teams calls to drop after about 10seconds when originated from Remote VPN to LAN?

• The caller must be on the VPN (Remote Access Service)
• The called party must be on a site LAN (but it can be any Company site)
• The call will work perfectly until 10 seconds and then will end / be torn down

office-teams-windows-itpro
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have noticed that all of a sudden, inbound "from DirectAccess to guy on LAN" calls are working. This started in the last few days. I'm hesitant to trust that this is permanently fixed BUT initial testing suggests the thing that changed was an upgrade to Windows 10 21H1.

At the moment it looks like it requires the guy on the internal LAN to be on 21H1, whereas the guy on the DirectAccess VPN (using force tunnel) can still be on 20H2, and it'll connect an inbound call.

In other words:
20H2 on DirectAccess --> 21H1 on LAN works
21H1 on DirectAccess --> 21H1 on LAN works
20H2 on DirectAccess --> 20H2 on LAN still doesn't work

Since it's an enablement package we're cracking on with upgrades and I will report back if this behaves itself over hte coming days, and when i get additional people upgraded and see if the pattern holds. Fingers crossed, but i won't get my hopes up :-)

0 Votes 0 ·

Thanks RonanFahy for the information please keep us posted if tis could be the solution, in the meantime I will find out from our IT team if we have anyone with Windows 10 21h1 to test that as well.

Regards

Sydney

0 Votes 0 ·

So the 21H1 thing was a false alarm sorry, but we have we think solved it.
We spotted that our proxy was blocking some traffic that wasn't obviously teams related.

At the moment where the "receiver" inside the network clicks the button to accept the incoming call Teams tries to connect out to an IP address rather than to a hostname, which is awful practice of course. That IP address (in our case were seeing things like https://52.113.201.115 and https://52.113.201.169) were being blocked as failing the SSL inspection - the certificate common names didn't match the host name, again, terrible practice Microsoft. We had to bypass SSL inspection for that entire range along with other identified ones, before it would work. I don't like doing that, as we can only trust that nothing else runs on the same IP's, but who has a choice.

Ranges used were:
52.112.0.0/14
13.107.64.0/18
52.238.119.141
52.244.160.207
52.120.0.0/14

We use a proxy that can subscribe to managed lists so these were referred to as "Lync Online IPv4 Ranges" so some are probably related to old Lync / SfB rather than Teams, but it worked.

0 Votes 0 ·

We have the exact same problem today. Unsure if long outstanding or not.

Anyone managed to find a fix. We don't allow split tunnelling.

The one thing we noticed that works from VPN client to HQ (Behind an ASA) is meetings. These load fine.

Its only affecting Teams calls/video directly.

0 Votes 0 ·
lucavitali avatar image
0 Votes"
lucavitali answered

Hi,
please check the routing between the client in VPN and the client in LAN.
In a point-to-point call between two Teams clients, the two clients will try to establish a Media direct flow between the two clients.
If something in the middle (routing, firewall etc) block this UDP traffic, the call will drop after 10 sec.

Best
Luca

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SydneyMarihoho-9571 avatar image
2 Votes"
SydneyMarihoho-9571 answered

Hi Luca, thanks for the reply to my question, but the puzzle is the call will get established for the first 10secs and then drops, so I'm failing to understand how the firewall/router would have allowed the traffic in the first place if it then drops it away immediately?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered lucavitali edited

Hi,
I understand your doubts.
I've seen fw that do not drop UDP packets immediately...
Anyway:
- is it possible to monitor the VPN connection? Do you see any packets drops?
- if the Teams client outside (not in LAN) is NOT connected via VPN, the call between the Teams outside and inside will works?

Thank you. Best. Luca



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SydneyMarihoho-9571 avatar image
0 Votes"
SydneyMarihoho-9571 answered

I did monitor the traffic on the firewall during a live troubleshooting session and I could see not the drop of traffic, the logs will just stop when the call dropped.

Yes when the call is established without that VPN the Teams call works fine. Maybe I need to drill a bit more into the specific VPN tunnel in question.

Thanks for your help.

Sydney

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered

Hi,
I suggest to take PCAP Traces directly on the two Teams Clients with Wireshark, this should help you to find the issue.
I'll thank you if you will update this thread.
Thanks
Luca

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

adamdotexe-4812 avatar image
0 Votes"
adamdotexe-4812 answered

We have the exact same issue happening at the moment - if the caller is on the VPN and the recipient is on the local LAN the call starts and drops about 10 seconds later. Calls from VPN to VPN are fine, and calls from the local LAN to the VPN are fine. Both network segments share the same firewall and inspection rules and traffic flow is identical other than the caller being on a different part of the network.

Packet captures show no drops, just a complete stop in communication. As far as we're aware this has only started happening recently, from early July onwards, but that could be a coincidence given COVID-19 has changed how we're working.

Our workaround has (annoyingly) been to switch to a split tunnel VPN configuration and bypass all Microsoft services from traversing the tunnel, which isn't ideal.

We're using Cisco AnyConnect and Firepower IDS/IPS.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

crescentwire avatar image
0 Votes"
crescentwire answered

We also have this exact same issue. Cisco ASA with AnyConnect 4.8. When users on VPN call folks on the LAN (traversing the firewall), the call will establish with audio only (video never loads) for about 10 seconds, and then drop. The issue does seem to be intermittent, however; when the video establishes, we are often unable to start screen sharing.

Like the previous posters, I've taken packet captures on the ASA and on each machine, but without any indication of issues. I've enabled inspection policies for SIP and STUN traffic on the ASA, using the ports described in Microsoft's Teams network deployment guide. Our only workaround right now is to have folks on the LAN call VPN users, which is highly inconvenient. I'll post again if I come across a fix, but for now, we're stumped.

@adamdotexe-4812, were you able to find a permanent fix?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered

Hi all,
please double-check the Application Inspection settings on your firewall, your problem is 99% related to layer 7 inspection that is mandatory to be disabled for Teams Real-Time UDP traffic.
Best Regards
Luca

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelTheil-9695 avatar image
0 Votes"
MichaelTheil-9695 answered

Hi all,

I had similar problems with teams. When ever a user with a VPN connection called a user located on our headquaters (Where the firewall hosting the VPN connection also is located) after 10 seconds the call was disconnected. This was only an issue when they used a full tunnel VPN (all traffic routed through the HQ). What i did was exclude Microsoft teams/skype ip adresse from being routed through the VPN. This solved my problems

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Hope this help.

-Theil

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffersonEstanislao-2454 avatar image
0 Votes"
JeffersonEstanislao-2454 answered

Hi MichaelTheil-9695, was it just the specific Microsoft subnets listed in the link for Teams/Skype you excluded from the VPN tunnel?

Thanks
Jeff

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.