Avaya 5610SW IP - VPN refresh - Dropped calls - Very bad

[redisms2]

Hello all,

I've done some searching and have seen that i am not the only one to experience this.. unfortunately the solutions provided have not worked.

We have about 7 outside users who have the 5610SW IP (all of which have different ISPs and networking equipment).

Typically on long calls their phones will randomly reboot, obviously dropping the call. This has gotten so bad that they use their landlines which is bad for us.

There is no pattern except the fact that most drop at exactly 50 minutes.

They connect to our Juniper here at HQ.

Here's an example of one of our users logs from the Juniper:

2009-07-23 12:45:45 info IKE xx.xxx.xxx.xxx: XAuth login was passed for gateway Avaya-VPN-Phone-Gateway, username waynea-avaya, retry: 0, Client IP Addr 10.200.200.29, IPPool name: Avaya-VPN-Phones, Session-Timeout: 0s, Idle-Timeout: 0s.
2009-07-23 12:45:44 info IKE xx.xxx.xxx.xxx: XAuth login was refreshed for username waynea-avaya at 10.200.200.29/255.255.255.255.
2009-07-23 11:55:42 info IKE xx.xxx.xxx.xxx: XAuth login was passed for gateway Avaya-VPN-Phone-Gateway, username waynea-avaya, retry: 0, Client IP Addr 10.200.200.29, IPPool name: Avaya-VPN-Phones, Session-Timeout: 0s, Idle-Timeout: 0s.
2009-07-23 11:55:42 info IKE xx.xxx.xxx.xxx: XAuth login was refreshed for username waynea-avaya at 10.200.200.29/255.255.255.255.
2009-07-23 11:05:39 info IKE xx.xxx.xxx.xxx: XAuth login was passed for gateway Avaya-VPN-Phone-Gateway, username waynea-avaya, retry: 0, Client IP Addr 10.200.200.29, IPPool name: Avaya-VPN-Phones, Session-Timeout: 0s, Idle-Timeout: 0s.
2009-07-23 11:05:39 info IKE xx.xxx.xxx.xxx: XAuth login was refreshed for username waynea-avaya at 10.200.200.29/255.255.255.255.

As you can see the 50 minutes is pretty on the ball. I've checked from this end (Juniper side) and I'm not sure how the juniper would send the phone a reboot or refresh command.

Here the config file avaya:

SET NVVPNMODE 1
SET NVVPNCFGPROF 5
SET NVSGIP xxx.xxx.xx.xx
SET NVVPNPSWDTYPE 1
SET NVVPNFILESRVR 10.1.200.15
SET NVVPNENCAPS 0
SET NVVPNCOPYTOS 2
SET NVVPNCONCHECK 1
SET MCIPADD 10.1.200.10
SET NVIKEPSK xxxxxxxx
SET NVIKEID vpnphone@xxxxxx.com
SET NVIKEIDTYPE 3
SET NVIKEDHGRP 2
SET NVPFSDHGRP 2
SET NVIKEP1ENCALG 0
SET NVIKEP2ENCALG 0
SET NVIKEP1AUTHALG 0
SET NVIKEP2AUTHALG 0


This is very frustrating to me and the end user.

Any help will be greatly appreciated.. and if you somehow live in Montreal, I'll send you some beer or something

 

[kwing112000]

on the phone there is a lifetime setting. what is it set to? you can go as high as 5 days. it will reboot when the timer expires.

Kevin Wing
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[redisms2]

I inherited these systems when I joined this company. Is there a way to verify and change it remotely?

Also when we put them on their DMZ (eg: on their personal linksys) it doesn't seem to drop as much. Does that make sense?

 

[redisms2]

I feel as though the settings shouls be in here. But I see nothing about lifetime.

46XX Settings
• AGCHAND
Switch handset automatic gain control on/off. 0 = off, 1 = on (default).
• AGCHEAD
Switch headset automatic gain control on/off. 0 = off, 1 = on (default).
• DNSSRVR
Text string containing the domain to be used when DNS names in system values are resolved to
IP addresses.
• DOMAIN
Text string containing the IP address of one or more DNS servers. At least one address must be
a dotted decimal address.
• DSCPAUD
Differentiated Services Code Point for Audio. Range 0 to 63 decimal. Default 40. Should be set to
match the DSCP setting on the IP Office System | Gatekeeper form (default 46).
• DSCPSIG
Differentiated Services Code Point for Signaling. Range 0 to 63 decimal. Default 40. Should be
set to match the SIG DSCP setting on the IP Office System | Gatekeeper form (default 0).
• IRSTAT
Infrared port status. 0 = off, 1 = on default.
• L2Q
802.1Q framing. 0 = auto (default), 1 = on, 2=off. The recommended setting for IP Office
operation is 2 (off).
• L2QAUD
Layer 2 audio priority. Range 0 to 7. Default = 6.
• L2QSIG
Layer 2 signaling priority. Range 0 to 7. Default = 6.
• L2QVLAN
VLAN identifier. Range 0 to 4095. Default = 0.
• VLANTEST
Defines how long the phone should attempt to register on a non-zero VLAN before defaulting
back to VLAN 0. Default = 60 seconds. Setting VLANTEST to 0 sets the phone to attempt
registering on the non-zero VLAN indefinitely.
• MCPORT
Gatekeeper transport layer port number. Ranger 0 to 65535. Default = 1719.
• PHY2STAT
Secondary Ethernet interface status. 0 = off, 1 = on (default).
• PORTAUD
Phone's transport layer port number for audio. Range 0 to 65535. Default = 5004.

 

[kwing112000]

everything in that last post is about the local phone not the VPN connection. it could be in your VPN settings file. i have changed them locally on the phone.

Kevin Wing
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[amriddle01]

Thats's the handset (voice) settings, I would look at the VPN settings on the handset.

ACS - IP Office Implement

"I'm just off to Hartlepool to buy some exploding trousers

 

[redisms2]

Ok, after looking at the VPN settings on the phone I still do not see anything for Lifetime or Timeout or anything of the like.

I thought it might be in the IPSec parameters

I have:

Server
User Name
Password
Group Name
Group PSK
VPN start mode
Password Type
Encapsulation
Syslog Server
IKE Parameters
IPSec Parameters
Protected Nets
Copy TOS
File Server
Connectivity check <--- This is set to "First Time"
Qtest

If someone can point me to the proper documentation or walk me through this I would be in the debt. Thank you.

 

[Bas1234]

How is the "Reserve Private IP for XAuth user" set?

From the left navigation menu, select VPNs > AutoKey Advanced > XAuth Settings

put the timer to 480 Minutes.

___________________________________________
It works! Now if only I could remember what I did...
___________________________________________

 

[redisms2]

Interestingly it's set to : 32767 minutes

Seems quite long to me.... close to 23 days.

Would lowering it help my situation?

 

[Bas1234]

Don't know what the maximum time is, could be a bug?!
In the docs of the ACM the set it to 480

___________________________________________
It works! Now if only I could remember what I did...
___________________________________________

 

[redisms2]

I've changed it to 480 to see if it makes a difference.

You don't think it would be something on the phone though?

Would "Connectivity check" on the handset have anything to do with it? Currently it's set to "First Time" instead of "Always".

Thanks as always.

 

[Bas1234]

First Time should be ok, have look in the PDF link. This is from the ACM but the Remote VPN setup is still the same.

http://support.avaya.com/elmodocs2/vpn/vpnphone_ssg.pdf

___________________________________________
It works! Now if only I could remember what I did...
___________________________________________

 

[JayNEC]

Change your P2 Proposal lifetime from the default of 3600 seconds (1 hour) mine is set to 7 days.
You'll need to create a new custom P2 proposal, match everything the same but this parameter. You don't need to change anyything on the phone. Associate this P2 proposal with your autokey IKE.
The phones often have trouble with doing the math of the encryption rekeying and freeze up or reboot.

 

[JayNEC]

Oh, and do it on the P1 proposal as well...

 

[redisms2]

I created the new P1 and P2 proposal and will test it throughout the weekend. Damn i hope this works

Thank you all for your help.

 

[redisms2]

It WORKED! JayNEC..... I owe you. (thanks to everyone else to

Thanks so much.

If you're every in Montreal... beers on me.

 

[JayNEC]

Good to know

 

[R3LzX]

Excellent post and many thanks for this information.

 

[Locate911]

I'm having a similar, yet perhaps unrelated, problem. Please let me know if it should be its own topic.

My 5610 SW is connected to an IP Office via a persistent OpenVPN tunnel between two discrete networks. At random times (not close to the 50 minutes above), my calls simply die. The call timer continues to run for awhile, then the phone goes to "Discover 192.168.xxx.x" and then it reboots in about five minutes. Sometimes, the phone goes to "Discover..." and reboots even when I'm not on a call. Other times, I simply lose audio for a few seconds and the call continues. About half the time, when the phone reboots, the display is garbage, showing rectangles in place of some characters.

We've double- and triple-checked the routing between the two networks. I've replaced just about every piece of network gear between the phone and the IPO. I even upgraded my internet connection. Traffic to and from any machine on either networks flows in both directions just fine. OpenVPN logs show no connectivity issues.

A TCPDump of the dropped audio shows constant traffic between IPO and the 5610.

We're going to try another phone on Friday, thinking that it may be a hardware issue. But if this is a known problem, I'd love to find out how to fix it.

BTW, this is NOT a VPN phone. As I mentioned above, the networks are bridged together.

For more info, if needed, here are some of the settings I'm seeing on the phone:
Received Coding: G711
Packet loss: 0%
Packetization delay: 20msec
One-way network delay: 19msec
Network jitter delay: 20msec (as high as 60msec)

Quality of Service...
L2 Audio/Signaling: 6/6
L3 Audio/Signaling: 46/0
PHY2: Enabled
IR: Disabled
SSON: 176
Model: 5610D01A

Thanks!

 

[mforrence]

I'd try the 729 codec and see if it makes a difference. The phone is losing connectivity to IPOffice for whatever reason.
Mike