×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

H323 TLS Errors (local only)

H323 TLS Errors (local only)

H323 TLS Errors (local only)

(OP)
I have an IP Office V2 500 11.x. We are running a mix of end-points: SIP Apps, 54XX, 96XX, J169s. Except for the SIP, the rest are on-site and also remote using IPSec VPN.

All are working except the on-site J169s. We are running them in H.323 mode. The VPN versions are working perfectly, they VPN, download config from the PBX and connect to the call server. The local versions boot, download config from PBX, then fail at login with "Authentication Failure". On the back-end I am getting:

11:12:53 2216231960mS H323Evt: Recv GRQ from 10.1.1.1:49302
11:12:53 2216231961mS H323Evt: e_H225_AliasAddress_dialedDigits alias
11:12:53 2216231961mS H323Evt: found number <4000>
11:12:53 2216231978mS H323Evt: H323PhoneUser Operational: Src=10.1.1.1:48140 Dst=10.1.0.1:1300
11:12:54 2216232012mS PRN: TLS:Alert Src=10.1.0.1:1300 Dst=10.1.1.1:48140 Code=48 Level=Fatal
11:12:54 2216232012mS ERR: TLS:Fatal Error on connection Src=10.1.0.1:1300 Dst=10.1.1.1:48140

Media Security is set to disabled on the PBX and as far as I can tell, the only thing that should be using a certificate is the SIP phones running over TLS. I can't see why the J169 local won't work but the 5610s work and the J169s running over VPN work.

To troubleshoot, I also tried a brand new phone out of the box, reverted to the H323FW and got the same issue; but I brought it home, changed the config to connect to VPN first and it worked.

RE: H323 TLS Errors (local only)

Why do you run them on H323 in the first place?

RE: H323 TLS Errors (local only)

J1XX in H.323 is only for the later versions of 10.1. R11+ you should have these in SIP mode.

Jamie Green

Avaya Registered Specialist Engineer

RE: H323 TLS Errors (local only)

(OP)
Yes, the phones should run in SIP mode. Now, does anyone know why in H323 mode they are happy when running over VPN with restrictive firewall rules, but when they are local on the same subnet they don't work?

RE: H323 TLS Errors (local only)

Nobody will know, as they should be in SIP mode as it says in the tech bulletins:



Can't expect something to be fixed when it isn't installed correctly! Sorry to be blunt!

Jamie Green

Avaya Registered Specialist Engineer

RE: H323 TLS Errors (local only)

(OP)
I can accept this; it's hard to expect someone else to have encountered the same issue I am having when then vendor no longer supports or recommends the method. Honestly I want to switch to SIP and have taken multiple runs at it, but the hard phones have not worked yet (app on iOS and Android took all of 15 minutes to get firewall rules in line.)

The part about this that makes my brain itch is simply that they work away from the office (where presumably they shouldn't) but not next to the PBX. This is like saying the car won't start when it's warm in the garage, you have to push it into the driveway in a snowstorm for it start - just seems counter-intuitive.

I wish it hadn't worked either way, then I just would have solved the SIP issue out of the gate. I had kept them all the same so that the deployment method regardless of device is very similar from phone to phone. If you can setup a 9608, you use the same config on the J169...

RE: H323 TLS Errors (local only)

(OP)
Switched to SIP and getting same TLS Code=48 error.

14:02:44 2399238774mS Sip: TCP packet known set owner
14:02:44 2399238775mS Sip: (f18e76f8) Process SIP response dialog f18e76f8, method NOTIFY, CodeNum 200 in state SIPDialog::INITIAL(0)
14:02:44 2399238775mS Sip: (f18e76f8) ProcessInboundSIPResponse CheckUnIntTransactionConditionForMatch for saved (0 == 2) , ignoring saved CSeq:(0 == 0) - result:0
14:02:44 2399238775mS Sip: (f18e76f8) UpdateSIPCallState SIPDialog::INITIAL(0) -> SIPDialog::FINAL(28)
14:02:45 2399239011mS Sip: SipTCPUser 5146 incoming f18ab784 created local 10.1.0.1:5061 remote 67.1.5.2:1987 list size 3
14:02:45 2399239012mS Sip: SIPPhoneReceiver 70682 (f18db328) tcp created, srcaddress 67.1.5.2, list size 5

14:02:45 2399239142mS PRN: TLS:Alert Src=10.1.0.1:5061 Dst=67.1.5.2:1987 Code=48 Level=Fatal

14:02:45 2399239158mS Sip: SIPPhoneReceiver 70682 disconnectIndication from tcp, srcaddress 67.1.5.2
14:02:45 2399239158mS Sip: SipTCPUser 5146 incoming f18ab784 destroyed list size 2
14:02:45 2399239159mS Sip: SIPPhoneReceiver 70682 (f18db328) destroyed, list size 4


New issue to Google; maybe this one has a more readily identifiable solution.

RE: H323 TLS Errors (local only)

Since you are using TLS I am assuming you have a valid certificate? If so how is the certificate setup? Do you have a SIP domain and SIP FQDN setup? Is the FQDN resolvable to the public IP externally but the local IP internally?

The truth is just an excuse for lack of imagination.

RE: H323 TLS Errors (local only)

(OP)
The common theme for all my issues seems to be TLS; but I can't find anything wrong with the cert.

It is a publicly generated UCC certificate from Sectigo, all root and intermeditate certs are posted to PBX Security app and are available. The SANs include the parent domain as well as the FQDN to the PBX. The DNS resolved properly relative to internal/external. Everything I have read has shown new versions of iOS and Android are usually much more stringent than the J169 for cert validate yet the Avaya Workplace is working on both with TLS and no issues.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close