Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Annoying VPN phone issue

Annoying VPN phone issue

Annoying VPN phone issue

Okay I have been trying to get a 5610 VPN phone working for the best part of 2 weeks now and am starting to wonder if I am missing something stupidly obvious that could be causing it to not work.

The phone connects to a Juniper Firewall using PSK - and the actual VPN tunnel connects no problem, the issue is that it then sits there on

Discover (the address of the LAN 2 port on the IP office)

On the phone system I have a default route set as / / / LAN 2 is the router on site (we have changed the standard RemoteManager IP address range to 192.168.100.x).

This site also has SIP via voiceflex and that uses the same IP route to get out and the SIP works flawlessly.

When the phone is connected it has an IP address of and if I go into SSA and ping it from there via LAN 2 I get 3 quick replies, so I know the phone system can route to the phone.

We have tried 2 different phones and have just today (for an unrelated issue) swapped out their 406v2 for a new 500v2 on the latest software level and whilst I hoped it would; as expected it didnt make a difference.

The IT maintainers say that if they create a VPN connection using the same VPN details but on a laptop they are able to ping through to the phone system with no issues, so I can only assume that port 1719 is being blocked somewhere, but I have said this to the IT maintainers a few times and they dont seem to think so.

So the big question I have is can anyone think of anything obvious I may be overlooking or give me some things I can try to get this phone working.



RE: Annoying VPN phone issue

You need to create IP route for 10.10.10.x network on the IPO and point it to your VPN router (Juniper in your case).Otherwise IPO won't know where to look for that IP

RE: Annoying VPN phone issue

Indeed, unless you also use the Junpier as your router on then the IPO will be talking to the wrong place smile  


RE: Annoying VPN phone issue

Thanks for the replies - the juniper is the device on  (at least thats what the IT people tell me).


RE: Annoying VPN phone issue

Okay a bit more information in case it can help anyone resolve this.

I have been advised the Juniper is running ScreenOS version 6.2.0r6.0 and the phone we are using is a 5610SW.

With a client VPN using the same details as the phone the IT guys are able to ping and get to the webpage for the Avaya on its IP address.

The documentation used to create the VPN was for ScreenOS 5.4 and is entitled:-
Application Notes for Configuring Avaya VPNremote™ Phone with Juniper Secure Services Gateway using Policy-Based IPSec VPN and XAuth Enhanced Authentication – Issue 1.0

Here are the settings used on the phone (minus the gateway and PSK)

VPN Phone Configuration Information    
Company Name    
Phone Type    5610
Profile    Juniper Xauth with PSK
Username    VOIPPhones
Password    VOIPPhones
Group Name    VPNClient
Group PSK    
VPN Start Mode    Boot
Password Type    Save in Flash
Encapsulation    4500-4500
Syslog Server    
IKE Parameters    DH2-ANY-ANY
Diffie-Hellman Group    2
Encryption Alg    Any
Authentication Alg    Any
IKE Xchg Mode    Aggressive
IKE Config Mode    Disable
Xauth    Enable
Cert Expiry Check    Disable
Cert DN Check    Disable
IPSec Parameters    DH2-ANY-ANY
Encryption Alg    Any
Authentication Alg    Any
Diffie-Hellman Group    2
Protected Nets    
Virtual IP
Remote Net #1
Remote Net #2    
Remote Net #3    
Remote Net #4    
Remote Net #5    
Copy TOS    No
File Svr    
Connectivity Check    Never
Qtest    Disable

Does anyone know if there is a new Avaya document for ScreenOS 6.2?


RE: Annoying VPN phone issue

The old, "Discover ip.office.ip.addr"

I hated seeing that message. Let me know the phone was "almost" working.

Forget about creating a route for a specific network, the default route on your IPO should be fine as long as the gateway is the same as every other device on the same network as the IP Office.

What you need to do is have your IT guys watch the firewall log as you power up your VPN phone from home. They need to look for drop packets to and from the phone IP address in addition to VPN/encryption/SA errors.

Sometimes the VPN tunnel can "seem" up when it is only partially up. Also, just because you can ping (icmp protocol) and access Avaya  web page (http) from a computer does not mean VoIP traffic is allowed to pass-thru.

The fact that your IT guys don't "think" it's being blocked shows their incompetence--either it is or it isn't.

Theodis Butler

RE: Annoying VPN phone issue

why not use config mode and let the juniper assign an IP from a virtual pool?

then, set your protected nets on the phone to

should work then.

General Geek

RE: Annoying VPN phone issue

And it was something completely obvious - the previous maintainers for this system had turned off H323 Gatekeeper on the LAN tab - and as we never do I didnt think to check it.

Turned this on and the phone works perfectly.


RE: Annoying VPN phone issue

smile, that is all i can do smile

That is the last place where you look while it should be the first one.
I never ever turned it off but i have seen it being turned off.


I'm not insane, my mother had me tested!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close