9608 vpn remote phone DISCOVER

[RocketJTech]

I have a new install (IPO Rel 9.1) and am trying to connect a 9608 phone using VPN. Through much trial and error, it appears that I am successful in getting through the VPN. However, the phone , after negotiating through the VPN tunnel, ends up at "Discover X.X.X.X", where X.X.X.X is the local IP Address of the IP Office. Here is the sequence of messages on the phone screen between startup and the discover message:

DHCP: 3secs

VPN Tunnel Setup

​

Gateway1: X.X.X.X (Public IP Address at IPO site)

​

Exchanging Keys

​

Building VPN Tunnel

​

HTTPS: 1 X.X.X.X (IPO IP Address)

​

HTTPS: 1

https://X.X.X.X:411/96x1Hupgrade.txt

(X.X.X.X = IPO IP ADDR)

​

HTTPS: 1 X.X.X.X (IPO IP Address)

​

HTTP: 1

http://X.X.X.X:80/96x1Hupgrade.txt

(X.X.X.X = IPO IP ADDR)

​

HTTP: 1 - 1

​

Contacting call server...

​

Discover X.X.X.X (IPO IP ADDR)

The VPN Logs on the VPN Router/Firewall (Sonic Wall TZ 215) suggest that the vpn tunnel is successful.

Any ideas?



Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[intrigrant]

Do you have a ip route in IP Office towards the phone IPaddress routing through the VPN router?

 

[RocketJTech]

Shouldn't the 0.0.0.0/0.0.0.0 with the VPN router as the gateway cover that?

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[intrigrant]

If for example the phone has subnet 192.168.50.x/24and the IPO LAN is 192.168.42.x/24 and the VPN Gatway is 192.168.42.250 add a route:
192.168.50.0 / 255.255.255.0 / 192.168.42.250 / LAN
Then it is sure the phone requests are send through the VPN router to IPO and data from IPO will be send to the phone.
Never use a 0.0.0.0 route for VPN phones.

 

[RocketJTech]

Yes, I have tried that. I have even tried the exact IP address of the remote phone. I have also verified that the IP Office can reach the internet. I appreciate your input tho.

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[RocketJTech]

In my case, the IP Office LAN 1 is 10.2.0.55 with a default Gateway of 10.2.0.253. The IP address of the phone (provided by the remote router) is 192.168.1.166. I used an IP route of 192.168.1.0/255.255.255.0/10.2.0.253/ LAN1

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[derfloh]

Are the HTTP downloads successful? Can you ping the phone from SSA? Does your firewall block h323 traffic?

 

[Pepp77]

I am attaching two documents.

The first is how I setup VPN and users on the Sonicwall for Avaya VPN phones.

The second is the settings entered on the phone itself.

| ACSS SME |

 

[Pepp77]

Second Doc

| ACSS SME |

 

[RocketJTech]

Thanks, Pepp. That is how I am set up. I am certain I am getting through the VPN; just not connecting to IPO.

Derflo, How will I know if my HTTP downloads are successful?

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[derfloh]

The phone will show you messages like

http://a.b.c.d/46xxsettings.txt

200 OK if it works or an error code (think it was 503) if it fails. You can also watch sysmon with HTTP filter enabled.

 

[RocketJTech]

The phone already has its 46xxsettings.txt file, since it was originally connected on site. The only files it appears to be getting while attempting to connect thru VPN are 96x1Hupgrade.txt files. I am getting no errors, but no "200 OK" either; just the string that I displayed in red above. Mind you, this is on the phone screen, so each line represents a screen shot, in the order that they occur. I am not able to remote into their system right now, so I will have to check later on the Monitor traces.

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[derfloh]

HTTP: 1

http://X.X.X.X:80/96x1Hupgrade.txt

(X.X.X.X = IPO IP ADDR)
HTTP: 1 - 1
Contacting call server...
Discover X.X.X.X (IPO IP ADDR)

Oh I see... There is a networking issue. Either a missing route from the phone (VPN client) to IPO or vice versa or some blocking rules in firewall.

 

[RocketJTech]

The following is a Monitor Trace of the VPN phone (192.168.7.13) attempting to connect. The Services Tab is on with everything else off during this trace. I am not sure what it means by "Idle Timeout: Not Received Any Header", but it doesn't sound good. Who has an idea?



2268815029mS TFTP Download: Upgrader: Upgrade is not in Progress
2268825029mS TFTP Download: Upgrader: Upgrade is not in Progress

********** SysMonitor v9.1.4.0 build 137 [connected to 10.2.0.55 (Anderson Weber)] **********
2268831964mS PRN: Monitor Status IP 500 V2 9.1.4.0 build 137
2268831964mS PRN: LAW=U PRI=0, BRI=0, ALOG=12, VCOMP=20, MDM=0, WAN=0, MODU=1 LANM=0 CkSRC=0 VMAIL=1(VER=2 TYP=3) 1-X=0 CALLS=1(TOT=17566)
2268835030mS TFTP Download: Upgrader: Upgrade is not in Progress
2268845030mS TFTP Download: Upgrader: Upgrade is not in Progress
2268846508mS HTTP: 192.168.7.13(37944) HTTPSession(Secure) (Total = 2)
2268855030mS TFTP Download: Upgrader: Upgrade is not in Progress
2268856990mS HTTP: 192.168.7.13(37944) HTTPSession: Idle Timeout: Not Received Any Header
2268856990mS HTTP: 192.168.7.13(37944) ~HTTPSession: Duration: 10482ms (Total = 1)
2268865035mS TFTP Download: Upgrader: Upgrade is not in Progress
2268867001mS HTTP: 192.168.7.13(32911) HTTPSession (Total = 2)
2268875035mS TFTP Download: Upgrader: Upgrade is not in Progress
2268877990mS HTTP: 192.168.7.13(32911) HTTPSession: Idle Timeout: Not Received Any Header
2268877990mS HTTP: 192.168.7.13(32911) ~HTTPSession: Duration: 10989ms (Total = 1)
2268885035mS TFTP Download: Upgrader: Upgrade is not in Progress

********** SysMonitor v9.1.4.0 build 137 [connected to 10.2.0.55 (Anderson Weber)] **********
2268892807mS PRN: Monitor Status IP 500 V2 9.1.4.0 build 137
2268892807mS PRN: LAW=U PRI=0, BRI=0, ALOG=12, VCOMP=20, MDM=0, WAN=0, MODU=1 LANM=0 CkSRC=0 VMAIL=1(VER=2 TYP=3) 1-X=0 CALLS=1(TOT=17566)
2268895035mS TFTP Download: Upgrader: Upgrade is not in Progress
2268905036mS TFTP Download: Upgrader: Upgrade is not in Progress

********** Warning: Logging to Screen Stopped **********


Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[RocketJTech]

Here is a Monitor Trace showing the H323 Tab. Again the phone (ext 283) has a remote IP Address of 192.168.7.13. Again, this does not look right, but I don't know why.



********** SysMonitor v9.1.4.0 build 137 [connected to 10.2.0.55 (Anderson Weber)] **********
15:41:00 2268040963mS PRN: Monitor Status IP 500 V2 9.1.4.0 build 137
15:41:00 2268040963mS PRN: LAW=U PRI=0, BRI=0, ALOG=12, VCOMP=20, MDM=0, WAN=0, MODU=1 LANM=0 CkSRC=0 VMAIL=1(VER=2 TYP=3) 1-X=0 CALLS=0(TOT=17528)
15:41:05 2268044260mS RasRx: v=IFace=LAN1, Src=192.168.7.13:49300, Dst=10.2.0.55:1719 peb=0
RasMessage = gatekeeperRequest = {
requestSeqNum = 2
protocolIdentifier = 0.0.8.2250.0.5
nonStandardData = {
nonStandardIdentifier = object = 2.16.840.1.113778.4.2.1
data =
85 01 40 ..@
}
rasAddress = ipAddress = {
ip =
c0 a8 07 0d ....
port = 49300
}
endpointType = {
terminal = {
}
mc = false
undefinedNode = false
}
endpointAlias = { 1 item(s)
[0] = dialedDigits =
32 38 33 283
}
tokens = { 1 item(s)
[0] = {
tokenOID = 2.16.840.1.114187.1.6.2
dhkey = {
halfkey =
e1 4b c3 4a 17 00 bd e1 ed 0c dd 57 d3 59 23 fd .K.J.......W.Y#.
bb 57 66 72 37 5c 58 b1 10 43 b8 ea ac 15 dd 97 .Wfr7\X..C......
a2 e2 70 8b ea 58 ea f5 4d c1 54 98 38 19 9f 45 ..p..X..M.T.8..E
b9 06 9f e6 bd c6 ea 2b d4 73 f2 20 88 3b bc 98 .......+.s. .;..
a5 6e b2 bd 28 ff e4 d9 8e 03 ab c7 a5 e7 62 a5 .n..(.........b.
a0 49 a4 9b 5b 9f 8c e9 1e e2 3f e2 25 31 cd 78 .I..[.....?.%1.x
aa 44 93 1b a0 77 e1 45 8f 02 82 8d 52 3e 62 27 .D...w.E....R>b'
cd 73 1b 5e ed e2 e3 ee 86 e9 6f 73 f5 2a 6c a1 .s.^......os.*l.
modSize = empty
generator = empty
}
profileInfo = { 2 item(s)
[0] = {
elementID = 2
element = octets =
0a 6f 74 29 .ot)
}
[1] = {
elementID = 1
element = octets =
eb 77 1d 69 45 56 dd 0d 8f 2e 2c 5d .w.iEV....,]
}
}
}
}
authenticationCapability = { 2 item(s)
[0] = pwdSymEnc
[1] = keyExch = 2.16.840.1.114187.1.6.2
}
algorithmOIDs = { 2 item(s)
[0] = 1.3.14.3.2.6
[1] = 2.16.840.1.114187.1.3
}
featureSet = {
replacementFeatureSet = false
supportedFeatures = { 1 item(s)
[0] = {
id = oid = 2.16.840.1.114187.1.10
parameters = { 10 item(s)
[0] = {
id = standard = 4
}
[1] = {
id = standard = 5
}
[2] = {
id = standard = 6
}
[3] = {
id = standard = 7
}
[4] = {
id = standard = 10
}
[5] = {
id = standard = 11
}
[6] = {
id = standard = 12
}
[7] = {
id = standard = 13
}
[8] = {
id = standard = 14
}
[9] = {
id = standard = 15
}
}
}
}
}
}
NonStandardDataMessage = discoveryRequest = {
natTerminal
}
15:41:05 2268044260mS H323Evt: Recv GRQ from c0a8070d
15:41:05 2268044260mS H323Evt: e_H225_AliasAddress_dialedDigits alias
15:41:05 2268044260mS H323Evt: found number <283>
15:41:05 2268044261mS RasTx: v=Src=10.2.0.55:1719, Dst=192.168.7.13:49300 peb=0
RasMessage = gatekeeperConfirm = {
requestSeqNum = 2
protocolIdentifier = 0.0.8.2250.0.5
gatekeeperIdentifier =
0041 006e 0064 0065 0072 0073 006f 006e Anderson
0020 0057 0065 0062 0065 0072 Weber
rasAddress = ipAddress = {
ip =
0a 02 00 37 ...7
port = 1719
}
authenticationMode = pwdSymEnc
tokens = { 1 item(s)
[0] = {
tokenOID = 0.0
timeStamp = -2026923035
random = 4123
generalID =
0044 0045 0046 0049 004e 0049 0054 0059 DEFINITY
}
}
algorithmOID = 1.3.14.3.2.6
featureSet = {
replacementFeatureSet = true
supportedFeatures = { 1 item(s)
[0] = {
id = oid = 2.16.840.1.114187.1.10
parameters = { 3 item(s)
[0] = {
id = standard = 13
}
[1] = {
id = standard = 14
}
[2] = {
id = standard = 15
}
}
}
}
}
}
15:41:05 2268044527mS RES: Wed 13/1/2016 15:41:05 FreeMem=53525192 Heap=52780504(1) Cache=744688 MemObjs=16203(16616) CMMsg=6(9) ASN=0 Buff=5200 1352 1000 7444 5 Links=59558(59883) BTree=1411(2568) CPU=09.62% CPUStats=09.13%/2/5/1671/13237/16367/00.29%/0
/02.67% MCR=0 MCW=0
15:41:05 2268044528mS RES2: IP 500 V2 9.1.4.0 build 137 Tasks=56 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=62 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=1 SSA=0 TCP=205(TLS=97) TAPI=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
15:41:05 2268044528mS RES4: XML MemObjs=63 PoolMem=4748404(2) FreePoolMem=4733100(0)
15:41:05 2268044528mS RES5: CLog MemObjs=1221 FreePoolMem(Objs)=4108(79) TotalMem=204100


Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[RocketJTech]

I thought for sure that at least one of you out there would have a clue on this. Perhaps, with all the other posts on here, this one got past you. Here's another chance to be the hero and help me figure this bugger out. Anyone? Thank you in advance. This one has me pulling my hair out AND beating my head against the wall... It's hard on the knuckles.

Thanks to technology, we can instantly communicate across the world, but it still doesn't help us know what to say.

 

[amriddle01]

I can't really help fix it, but I can tell you I'm 99% sure it's the Sonicwall at fault, the handset can't even get its files never mind talk to the system.
I don't really know Sonicwalls at all hence why I can't help fix it, but I do know they're known for being troublesome like this

Good luck

 

[jasonmorrison]

Do you have Consistent NAT turned on under the VoIP tab in the Sonicwall?


JASON MORRISON
THINK CONVERGED
ACSS (SME)
APSS (SME)

 

[headcase69]

don't know if it was mentioned, but I thought the sonicwalls by default had H323 turned on? I have worked with a couple of sonicwalls and every time an IP phone didn't work, it was because the H323 tick-mark box was ticked. once it was off/unticked, it started working...

 

[mojoputter]

So does the customer use the VPN to connect their PC to their network..? if so, can they ping the IPO ip address..?