Remote VPN 9650 IP Phone get "discover xxx.xxx.xxx.xxx" and can't connect

[Optman]

Hi all

we have setup VPN Gateway behind firewall/router supplied by ISP provider, the VPN tunnels are builted as well for PC clients, but when trying to connect remote VPN 9650 IP Telephone to the IP Office system behind this VPN gateway...we see that the tunnel from 9650 Phone to VPN Gateway is builted correctly and can get private IP address for registration with IPO but it displays "discover IPaddressIPO".

we have tried to open all necessary UDP port on the firewall for registration such as (1718, 1719, 1720, 5005...etc) but the issue is still here.


Please can anyone help us to figure out this issue ?


Thanks


Regards

 

[hairlessupportmonkey]

whats the IP route on your IP Office look like?

ACSS - SME
General Geek

 

[Optman]

I have added the IP route:

Dest 0.0.0.0
Mask 0.0.0.0
Gateway 192.168.1.254 --------------------> IP @ of Private side of VPN Gateway

LAN1 (192.168.1.10 -------------------------> IP @ of LAN1 IPO)


Thanks

 

[kwing112000]

What IP is your phone getting when connected? if it gets a private IP of 192.168.1.x you may have a problem because the IPO will see it as local.

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[Optman]

yes when the IP Phone 9650 connect to the VPN Gateway it gets private IP address 192.168.1.X from the vpn gateway to communicate with IPO,

I didn't understand why the IP Phone can't register within IPO, however it's on the same subnet as IPO

please let me know


Thanks

 

[tlpeter]

It needs an IP address in a different range.
Be sure out gets one from a range that is not used at all.
Use 172.20.1.xxx for example.
Then you need an IP route to that.

BAZINGA!

I'm not insane, my mother had me tested!

 

[amriddle01]

It's not on the same subnet, you have a VPN tunnel built between two networks with the same address range, thats not the same hing and also the reason why it doesn't work

 

[amriddle01]

thing*

 

[Optman]

I have set the VPN IP Phone with public address (41.xxx.xxx.xxx) to reach the VPN/Router through public network and get authentication, then the VPN Gateway assign private IP address to that IP Phone (192.168.1.xx) to reach IP Office (192.168.1.10) that reside on the same subnet...but why I need to setup different private address to the Phone...?

You means that I need to configure my VPN Gateway to assign different range of IP address (example: 172.16.xx.xx)to the IP Phones connected, then built a new route within IP Office to reach 172.16.xx.xx from 192.168.1.xx..then it will work...right ?


I will test this tomorrow and come back to you


Thanks

 

[piethief]

You need to look in the VPN logs and see what it says.

 

[intrigrant]

the ipoffice will do a ARP on the local network if it wants to reply on a port 1719 ( H.323 RAS ) request.
ARP requests do no traverse over routers so the phone will never recieve the request and sits on discovery.
If your VPN modem supports it you could activate Proxy ARP for the DHCP IP range used for the VPN Phones.
If your router cannot do that then do as tlpeter says, use a unique ip range for the phones and make a ip route to that range were the VPN router is the gateway.

If it ain't dutch it ain't much

 

[Optman]

Hi all

I have configured as tlpeter explain, but with the same issue, I have also enable Proxy-arp on the VPN Gateway, but I have always the same issue...!!

then I have set a local test by connecting the IP Phone to the "Untrusted interface" of VPN Gateway (using only private address 10.0.0.0) get authentication and obtain private IP address 192.168.1.xx to reach IP Office and it work as well...but only when try to connect from public network behind ISP Router then we have issue...!!




Thanks

 

[Optman]

Hi all

we have check on the VPN Gateway logs during the period which the IP Phone try to reach the IPO, then we can see this error:

"No matching Policy found for OUT- Src 10.80.70.241:49300 dest 10.80.70.24:1719 proto 17"

May be the VPN Gateway can't pass traffic of H323 RAS to the IPO, Now Im looking for the correct policy to implemant on that VPN GW.

Thanks

 

[tlpeter]

What kind of VPN gateway do you have?


BAZINGA!

I'm not insane, my mother had me tested!

 

[vztech]

Hopefully its not a 3050 gateway.

It's only dialtone!!!

 

[Optman]

we have SR2330 (Secure Router 2330) VPN Gateway..avaya

 

[Optman]

we have disable the firewall on the SR2330 VPN Router but with the same issue...!!!


any idea please ?

 

[amriddle01]

Perhaps find a forum that deals with that router, discover means something is being blocked/misdirected and it will be the router doing it

 

[Bas1234]

Did you follow this doc?

https://devconnect.avaya.com/public/download/interop/96xx-VPN-SR2330.pdf

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool

http://tinyurl.com/bas1234

)
______________________________________

 

[Optman]

I have already follow this doc..thanks