Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.
Issue
After Cisco VoIP phones connect to the wireless network, the phones get an IP address but are unable to pass voice traffic. In the data path session table, RTCP traffic has been blocked by the controller from the Cisco phone.
Reason
Skinny Client Control Protocol (SCCP) is a proprietary Cisco protocol that is used between Cisco CallManager and Cisco VoIP phones.
For a VOIP solution, clients in the LAN use the SCCP to establish the call connection between the client and the CallManager where TCP-based communication is used. When the client initiates the connection, if it retransmits the ACK packet, the controller interprets this as a replay attack and it blocks the packet. The controller does not open the necessary firewall (UDP) ports for SCCP ALG, which is necessary for the audio traffic. So the RTP and RTCP packets get dropped and the client cannot pass the audio traffic.
Workaround
In the global firewall, if "prohibit RST replay attack" and "deny inter user bridging" is disabled, the client can pass the audio traffic. Otherwise, UDP ports 16000 to 34000 can be opened manually for the Cisco phones (ACL defined for the client). RTP and RTCP will use ports in this range.
Solution
The issue of denying retransmitted TCP ACK packets is fixed in ArubaOS 3.4.