Troubleshooting One-Way Audio on VoIP Call
Presenting Symptom
Users report that they can hear the remote party, but the remote party cannot hear them during VoIP calls.
Network Context
A small branch office with 50 users connects to the main headquarters via a WAN link. The branch uses a Cisco 4321 ISR as the voice gateway with CUBE (Cisco Unified Border Element) for SIP trunking to the main site's CUCM. The branch LAN has a single VLAN (VLAN 10) for data and voice, with IP phones on the same subnet as PCs. IOS version 16.9.5.
Diagnostic Steps
1. Verify RTP stream direction
show voice call status | include RTPCallID 100: RTP streams: from 10.1.1.1:16384 to 10.2.2.2:16384 (active) CallID 100: RTP streams: from 10.2.2.2:16384 to 10.1.1.1:16384 (inactive)
Look for both directions of RTP. If one direction shows 'inactive' or missing, the audio path is broken in that direction.
2. Check ACLs on the WAN interface
show access-lists 100Extended IP access list 100
10 permit udp any any eq 16384 (100 matches)
20 permit udp any any eq 16385 (0 matches)Check if RTP ports (typically even UDP ports 16384-32767) are permitted. If matches are zero on one side, the ACL may be blocking return traffic.
3. Verify NAT configuration for RTP
show ip nat translations | include 16384Pro Inside global Inside local Outside local Outside global udp 10.1.1.1:16384 10.1.1.1:16384 10.2.2.2:16384 10.2.2.2:16384
If NAT is used, ensure RTP ports are translated correctly. Missing translation indicates RTP not being NATed, causing one-way audio.
4. Check media flow-around or flow-through on CUBE
show running-config | section voice service voipvoice service voip
sip
media flow-aroundIf 'media flow-around' is configured, CUBE does not proxy media. If 'media flow-through' is configured, CUBE must be in path. Misconfiguration can cause one-way audio.
Root Cause
The branch router's ACL on the WAN interface is blocking return RTP traffic from the main site. The ACL permits outbound RTP but denies inbound RTP on the high UDP ports used for voice media.
Resolution
Verification
After applying the ACL change, verify with: show access-lists 100 Expected output shows increased match counts on the new permit line. Then test a call and run: show voice call status | include RTP Expected output shows both RTP streams as 'active'.
Prevention
1. Use a dedicated voice VLAN to separate voice and data traffic, simplifying ACL design. 2. Implement a stateful firewall or use 'ip inspect' to dynamically permit return traffic. 3. When using CUBE, consider 'media flow-through' to have the router proxy media, ensuring consistent NAT and ACL handling.
CCNA Exam Relevance
On the CCNA 200-301 exam, one-way audio scenarios appear in troubleshooting questions, often as multiple-choice or drag-and-drop. The exam tests understanding of RTP flow, ACL impact on media, and NAT traversal for VoIP. Key fact: RTP uses UDP ports 16384-32767, and both directions must be permitted.
Exam Tips
Remember that one-way audio is almost always a firewall/ACL issue blocking return RTP traffic.
The exam may show a 'show access-lists' output with zero matches on the inbound permit; that's your clue.
Know that 'media flow-around' vs 'flow-through' affects whether CUBE proxies media; flow-around requires end-to-end reachability.
Commands Used in This Scenario
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show ip nat translations
Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions