Wireless Access

I figured I'd post this for future help, in the odd event someone is doing what I am doing.

Background:  I upgraded my ISP service to gig speeds.  I have Cox, so it's Gigablast (up to 940 down/34 up).  My current firewall was an ASA5520 with module and max firewall throughput was around 480 Mbps.  Obviously, this wasn't going to cut it.

I didn't want to spend the money on a new firewall, so I acquired a 7005 since it's got roughly 2 gig firewall throughput - why not? 

ok, so long story short (and I have a TAC case in for this); WiFi calling doesn't work consistently.  It actually got so bad, my wife - who is a nurse, was missing On-Call calls - so she switched it off.  For the past 6 months or so, I have been trying to figure out how to fix this issue.  It appears as tho inbound calls get missed, whereas outbound calls are 98% successful.  

My environment is simple:  Firewall (7005) - Cisco 3850 (Core/Dist/Access layer) - WLAN Controller (7010).

Verizon is my carrier.

My firewall:

is a 7005

running 8.6.0.2

NO USERS/APs etc connect directly to it.

is literally a straight through firewall...that routes traffic to a second hop...

has PEF license

has Session ACL's setup setup on outside interface

can reach every aspect of my inside network

Shows the proper port utilization during an active call (datapath sessions) from Vzw to my external IP; from my client to Vzw.

I have IP NAT outside on my external interface

I have used DSTNAT in my acl's, pointing to my WLAN Controller ip; my client specifically

My acl's now just allow to my external IP.

I have created a netdestination to reflect/reference the DNS entries of my various cell provider options

On my WLAN controller,

Running 6.5.4.17

I have WMM set and tos set.

User role with essentially allowed all, inbound and out, including the various wifi calling acls

**Noticing** some of my traffic was hitting vlan 1, which was shut/no ip address; i even went as far as changing the native vlan of my management vlan.

I have verified with my ISP this all is allowed.

With the exception of TAC, I'm sort of at my wits end...so I figured I'd ask here...  I'm almost tempted to get rid of my session ACL, and replace it with an extended ACL...

.

Trying wifi calling on other, not so fancy networks, everything to my knowledge - works fine.

I have uploaded my logs from my 7005 (edge) and my 7010 (wlan controller).

I'm hoping someone has had this problem before -- and if not -- I'm hoping I will provide a solution to someone else.

 Many thanks!

Attachment(s)

firewall (2).txt   40 KB 1 version

wlan-controller.txt   36 KB 1 version

Since the 7005 is running 8.x , have you verified that the feature-bit is enabled for the PEF license, so as to make it work?

What happens when you use an allow-all acl ?

for testing purposes, try moving it to the top of the queue and check if the calls are going through.

PEF has been verified.  If PEF wasn't installed, I wouldn't be able to look into the firewall, do DPI or setup acl's, I'm guessing.

Allowall - well, allows all. 

Here's a snipet of my datapath sessions.  4500 is what src port I need to allow.  According to Vzw, I need to allow UDP/4500, UDP/500. ESP 50, tcp/443 and 3 others which I think only deal with an extender...

(gtw-edge) [mynode] #show datapath session table | include 4500
141.207.229.233 70.x.x.x 17 4500 10117 0/0 0 0 1 pc1 14 1 108 FNA 7
10.2.200.24 141.207.229.233 17 45519 4500 0/0 0 32 1 pc1 14 4 274 FSCA 7
10.10.1.7 148.173.100.226 17 57553 4500 0/0 0 40 0 pc1 8f59 356197 168193535 FSC 6
148.173.100.226 70.x.x.x 17 4500 10112 0/0 0 0 0 pc1 8f59 863403 444805053 FN 7