question

SydneyMarihoho-9571 avatar image
1 Vote"
SydneyMarihoho-9571 asked ·

What would cause MS Teams calls to drop after about 10seconds when originated from Remote VPN to LAN?

• The caller must be on the VPN (Remote Access Service)
• The called party must be on a site LAN (but it can be any Company site)
• The call will work perfectly until 10 seconds and then will end / be torn down

office-teams-windows-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered ·

Hi,
please check the routing between the client in VPN and the client in LAN.
In a point-to-point call between two Teams clients, the two clients will try to establish a Media direct flow between the two clients.
If something in the middle (routing, firewall etc) block this UDP traffic, the call will drop after 10 sec.

Best
Luca

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SydneyMarihoho-9571 avatar image
2 Votes"
SydneyMarihoho-9571 answered ·

Hi Luca, thanks for the reply to my question, but the puzzle is the call will get established for the first 10secs and then drops, so I'm failing to understand how the firewall/router would have allowed the traffic in the first place if it then drops it away immediately?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered ·

Hi,
I understand your doubts.
I've seen fw that do not drop UDP packets immediately...
Anyway:
- is it possible to monitor the VPN connection? Do you see any packets drops?
- if the Teams client outside (not in LAN) is NOT connected via VPN, the call between the Teams outside and inside will works?

Thank you. Best. Luca



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SydneyMarihoho-9571 avatar image
0 Votes"
SydneyMarihoho-9571 answered ·

I did monitor the traffic on the firewall during a live troubleshooting session and I could see not the drop of traffic, the logs will just stop when the call dropped.

Yes when the call is established without that VPN the Teams call works fine. Maybe I need to drill a bit more into the specific VPN tunnel in question.

Thanks for your help.

Sydney

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered ·

Hi,
I suggest to take PCAP Traces directly on the two Teams Clients with Wireshark, this should help you to find the issue.
I'll thank you if you will update this thread.
Thanks
Luca

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

adamdotexe-4812 avatar image
0 Votes"
adamdotexe-4812 answered ·

We have the exact same issue happening at the moment - if the caller is on the VPN and the recipient is on the local LAN the call starts and drops about 10 seconds later. Calls from VPN to VPN are fine, and calls from the local LAN to the VPN are fine. Both network segments share the same firewall and inspection rules and traffic flow is identical other than the caller being on a different part of the network.

Packet captures show no drops, just a complete stop in communication. As far as we're aware this has only started happening recently, from early July onwards, but that could be a coincidence given COVID-19 has changed how we're working.

Our workaround has (annoyingly) been to switch to a split tunnel VPN configuration and bypass all Microsoft services from traversing the tunnel, which isn't ideal.

We're using Cisco AnyConnect and Firepower IDS/IPS.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

crescentwire-8468 avatar image
0 Votes"
crescentwire-8468 answered ·

We also have this exact same issue. Cisco ASA with AnyConnect 4.8. When users on VPN call folks on the LAN (traversing the firewall), the call will establish with audio only (video never loads) for about 10 seconds, and then drop. The issue does seem to be intermittent, however; when the video establishes, we are often unable to start screen sharing.

Like the previous posters, I've taken packet captures on the ASA and on each machine, but without any indication of issues. I've enabled inspection policies for SIP and STUN traffic on the ASA, using the ports described in Microsoft's Teams network deployment guide. Our only workaround right now is to have folks on the LAN call VPN users, which is highly inconvenient. I'll post again if I come across a fix, but for now, we're stumped.

@adamdotexe-4812, were you able to find a permanent fix?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucavitali avatar image
0 Votes"
lucavitali answered ·

Hi all,
please double-check the Application Inspection settings on your firewall, your problem is 99% related to layer 7 inspection that is mandatory to be disabled for Teams Real-Time UDP traffic.
Best Regards
Luca

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelTheil-9695 avatar image
0 Votes"
MichaelTheil-9695 answered ·

Hi all,

I had similar problems with teams. When ever a user with a VPN connection called a user located on our headquaters (Where the firewall hosting the VPN connection also is located) after 10 seconds the call was disconnected. This was only an issue when they used a full tunnel VPN (all traffic routed through the HQ). What i did was exclude Microsoft teams/skype ip adresse from being routed through the VPN. This solved my problems

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Hope this help.

-Theil

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffersonEstanislao-2454 avatar image
0 Votes"
JeffersonEstanislao-2454 answered ·

Hi MichaelTheil-9695, was it just the specific Microsoft subnets listed in the link for Teams/Skype you excluded from the VPN tunnel?

Thanks
Jeff

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.