INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Avaya 9608 VPN Phone

Avaya 9608 VPN Phone

(OP)
Hi All.

I have a VPN phone (9608) connecting from a home users office. They are using a standard DSL connection with a ASUS Router, our end point is a Juniper SRX 210 where the tunnel terminates. Everything works fine, the phone logs in and makes a connection into our Avaya IP Office 500v2 v8.1 PBX. We can see the extension in system status and we can make and receive calls, however if the phone is left idle for about 30mins the phone seems to drop out. You can tell by the time on the phone display stops updating and as soon as you pick up the receiver the display goes to discover xxx.xxx.xxx.xxx (our call server ip) and doesn't reconnect. You need to turn off the phone and back on for it to re-connect.

There is no time out settings on the Juniper SRX side of things and I can't see any time out settings on the PBX or the phone for that matter does anyone have an idea what might be causing this or have an idea where i can see the logs from the phone?

Thanks Jason

RE: Avaya 9608 VPN Phone

I assume you have a timeout on the VPN.
I'm guessing that it looses connection during VPN rekey.

"Trying is the first step to failure..." - Homer

RE: Avaya 9608 VPN Phone

(OP)
Thanks for the feedback Janni78, I have gone through the firewall configuration and there is nothing I can see that would be stopping the connection rekeying and stopping the tunnel from staying up.
I have followed through the AVAYA documentation for the Juniper configuration, changed it slightly for my own site.

Below is a snippet of the Firewall for the Juniper.

CODE -->

set security ike proposal ike-proposal authentication-method pre-shared-keys
set security ike proposal ike-proposal dh-group group2
set security ike proposal ike-proposal authentication-algorithm sha1
set security ike proposal ike-proposal encryption-algorithm 3des-cbc
set security ike proposal ike-proposal lifetime-seconds 28800

set security ike policy ike-policy-AVAYA mode aggressive
set security ike policy ike-policy-AVAYA proposals ike-proposal
set security ike policy ike-policy-AVAYA pre-shared-key ascii-text "***********"

set security ike gateway AvayaPhone ike-policy ike-policy-AVAYA
set security ike gateway AvayaPhone dynamic user-at-hostname "************"
set security ike gateway AvayaPhone dynamic connections-limit 10
set security ike gateway AvayaPhone dynamic ike-user-type shared-ike-id
set security ike gateway AvayaPhone dead-peer-detection interval 60
set security ike gateway AvayaPhone dead-peer-detection threshold 2
set security ike gateway AvayaPhone nat-keepalive 5
set security ike gateway AvayaPhone external-interface ge-0/0/0.0
set security ike gateway AvayaPhone xauth access-profile phone-users

set security ipsec proposal ipsec-proposal protocol esp
set security ipsec proposal ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal lifetime-seconds 3600
set security ipsec policy ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy proposals ipsec-proposal
set security ipsec vpn vpn-to-AVAYAPhones vpn-monitor
set security ipsec vpn vpn-to-AVAYAPhones ike gateway AvayaPhone
set security ipsec vpn vpn-to-AVAYAPhones ike ipsec-policy ipsec-policy

set access profile phone-users client "**************" firewall-user password "***************"
set access profile phone-users address-assignment pool phone-pool
set access address-assignment pool phone-pool family inet network 192.168.2.0/24
set access address-assignment pool phone-pool family inet xauth-attributes primary-dns 8.8.8.8/32 

Cheers, Jason

RE: Avaya 9608 VPN Phone

Enable VPN tracing in the SRX and you should be able to see what it complains about.

Also some suggest that DPD should be disabled.

"Trying is the first step to failure..." - Homer

RE: Avaya 9608 VPN Phone

(OP)
I will enable the trace tomorrow and see what I can find.
I turned off the DPD already thinking that was the cause but it kept all the ike associations alive when the connection dropped so I enabled it again.

RE: Avaya 9608 VPN Phone

BUMP:


What's the update? I have a user who's VPN phone is dropping at night.

Is there a way to increase the lifetime? I'm looking through the menu and dont see an option here.

______________________
|........................................|
|.....i.eat.bunny.children......|
|______________________|
(\__/) ||
(•Y•). ||
/ < )<||

RE: Avaya 9608 VPN Phone

(OP)
Hi ogTOKYO

My end user has been off for a few days so I haven't been able to test with traceoptions enabled. He is back next week so I plan on doing it then. When I had this before, I couldn't see much in the log to indicate what the issue was, as the tunnel from the Juniper was still up when I did show security ike security-associations and (ipsec). It was only when I dropped the phone from power and rebooted it the tunnel dropped.

Cheers, Jason

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close