Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Pepp77 (Vendor) (OP)
20 Sep 11 10:53
Okay I have been trying to get a 5610 VPN phone working for the best part of 2 weeks now and am starting to wonder if I am missing something stupidly obvious that could be causing it to not work.

The phone connects to a Juniper Firewall using PSK - and the actual VPN tunnel connects no problem, the issue is that it then sits there on

Discover 192.168.99.201 (the address of the LAN 2 port on the IP office)

On the phone system I have a default route set as

0.0.0.0 / 0.0.0.0 / 192.168.99.254 / LAN 2

192.168.99.254 is the router on site (we have changed the standard RemoteManager IP address range to 192.168.100.x).

This site also has SIP via voiceflex and that uses the same IP route to get out and the SIP works flawlessly.

When the phone is connected it has an IP address of 10.10.10.11 and if I go into SSA and ping it from there via LAN 2 I get 3 quick replies, so I know the phone system can route to the phone.

We have tried 2 different phones and have just today (for an unrelated issue) swapped out their 406v2 for a new 500v2 on the latest software level and whilst I hoped it would; as expected it didnt make a difference.

The IT maintainers say that if they create a VPN connection using the same VPN details but on a laptop they are able to ping through to the phone system with no issues, so I can only assume that port 1719 is being blocked somewhere, but I have said this to the IT maintainers a few times and they dont seem to think so.

So the big question I have is can anyone think of anything obvious I may be overlooking or give me some things I can try to get this phone working.

 

| ACSS SME |

kolob4all (Vendor)
20 Sep 11 11:27
You need to create IP route for 10.10.10.x network on the IPO and point it to your VPN router (Juniper in your case).Otherwise IPO won't know where to look for that IP
amriddle01 (Programmer)
20 Sep 11 11:48
Indeed, unless you also use the Junpier as your router on 192.168.99.254 then the IPO will be talking to the wrong place smile  

www.ipoffice.tel

Pepp77 (Vendor) (OP)
20 Sep 11 12:11
Thanks for the replies - the juniper is the device on 192.168.99.254  (at least thats what the IT people tell me).

| ACSS SME |

Pepp77 (Vendor) (OP)
23 Sep 11 8:57
Okay a bit more information in case it can help anyone resolve this.

I have been advised the Juniper is running ScreenOS version 6.2.0r6.0 and the phone we are using is a 5610SW.

With a client VPN using the same details as the phone the IT guys are able to ping and get to the webpage for the Avaya on its IP address.

The documentation used to create the VPN was for ScreenOS 5.4 and is entitled:-
 
Application Notes for Configuring Avaya VPNremote™ Phone with Juniper Secure Services Gateway using Policy-Based IPSec VPN and XAuth Enhanced Authentication – Issue 1.0

Here are the settings used on the phone (minus the gateway and PSK)

VPN Phone Configuration Information    
    
Company Name    
Phone Type    5610
    
Profile    Juniper Xauth with PSK
    
Server    
Username    VOIPPhones
Password    VOIPPhones
Group Name    VPNClient
Group PSK    
VPN Start Mode    Boot
Password Type    Save in Flash
Encapsulation    4500-4500
Syslog Server    
    
IKE Parameters    DH2-ANY-ANY
IKE ID Type    FQDN
Diffie-Hellman Group    2
Encryption Alg    Any
Authentication Alg    Any
IKE Xchg Mode    Aggressive
IKE Config Mode    Disable
Xauth    Enable
Cert Expiry Check    Disable
Cert DN Check    Disable
    
IPSec Parameters    DH2-ANY-ANY
Encryption Alg    Any
Authentication Alg    Any
Diffie-Hellman Group    2
    
Protected Nets    
Virtual IP    10.10.10.11
Remote Net #1    192.168.99.0/24
Remote Net #2    
Remote Net #3    
Remote Net #4    
Remote Net #5    
    
Copy TOS    No
File Svr    
Connectivity Check    Never
Qtest    Disable


Does anyone know if there is a new Avaya document for ScreenOS 6.2?

| ACSS SME |

TheodisButler (IS/IT--Management)
28 Sep 11 23:59
The old, "Discover ip.office.ip.addr"

I hated seeing that message. Let me know the phone was "almost" working.

Forget about creating a route for a specific network, the default route on your IPO should be fine as long as the gateway is the same as every other device on the same network as the IP Office.

What you need to do is have your IT guys watch the firewall log as you power up your VPN phone from home. They need to look for drop packets to and from the phone IP address in addition to VPN/encryption/SA errors.

Sometimes the VPN tunnel can "seem" up when it is only partially up. Also, just because you can ping (icmp protocol) and access Avaya  web page (http) from a computer does not mean VoIP traffic is allowed to pass-thru.

The fact that your IT guys don't "think" it's being blocked shows their incompetence--either it is or it isn't.

Theodis Butler
President
www.megalithtechnologies.com

hairlessupportmonkey (IS/IT--Management)
29 Sep 11 4:49
why not use config mode and let the juniper assign an IP from a virtual pool?

then, set your protected nets on the phone to 0.0.0.0/0

should work then.

ACSS - SME
General Geek



Pepp77 (Vendor) (OP)
30 Sep 11 11:23
And it was something completely obvious - the previous maintainers for this system had turned off H323 Gatekeeper on the LAN tab - and as we never do I didnt think to check it.

Turned this on and the phone works perfectly.

| ACSS SME |

tlpeter (Programmer)
30 Sep 11 11:50
smile, that is all i can do smile

That is the last place where you look while it should be the first one.
I never ever turned it off but i have seen it being turned off.
 

BAZINGA!

I'm not insane, my mother had me tested!

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close