Why are Cisco VoIP phones unable pass voice traffic?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.


After Cisco VoIP phones connect to the wireless network, the phones get an IP address but are unable to pass voice traffic. In the data path session table, RTCP traffic has been blocked by the controller from the Cisco phone.


Skinny Client Control Protocol (SCCP) is a proprietary Cisco protocol that is used between Cisco CallManager and Cisco VoIP phones.

For a VOIP solution, clients in the LAN use the SCCP to establish the call connection between the client and the CallManager where TCP-based communication is used. When the client initiates the connection, if it retransmits the ACK packet, the controller interprets this as a replay attack and it blocks the packet. The controller does not open the necessary firewall (UDP) ports for SCCP ALG, which is necessary for the audio traffic. So the RTP and RTCP packets get dropped and the client cannot pass the audio traffic.


In the global firewall, if "prohibit RST replay attack" and "deny inter user bridging" is disabled, the client can pass the audio traffic. Otherwise, UDP ports 16000 to 34000 can be opened manually for the Cisco phones (ACL defined for the client). RTP and RTCP will use ports in this range.


The issue of denying retransmitted TCP ACK packets is fixed in ArubaOS 3.4.

Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 03:34 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: