9608G VPN goes to Discover after Login 2

[tnestel]

I have an R11.1 that I am trying to get to work remotely. The VPN on the phone successfully opens and I get as far as the Extension Login prompt. As soon as I hit # after the password, the phone goes to Discover. I think I must be missing something in the IPO at this point? Even after the phone goes to Discover, Monitor continues to tell me if found the extension number.

Monitor trace:
07:58:05 2199252mS RES: Tue 5/7/2022 07:58:04 FreeMem=54607832 Heap=54370344(6) Cache=237488 MemObjs=8909(Max 9980) CMMsg=4(5) ASN=0 Buff=5200 1360 1000 7443 5 Links=52598(52886) BTree=423(742) CB=6064 MCT=0 CPU=12.41% CPUStats=10.74%/1/3/2777/19359/2
2227/00.08%/0/02.30% MCR=0 MCW=0 DEV=0
07:58:05 2199252mS RES2: IP 500 V2 11.1.1.1.0 build 18 Tasks=54 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=11+60 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=1 SSA=1 TCP=25(TLS=8 OFF=0) TAPI=0 Partner=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
07:58:05 2199252mS RES4: XML MemObjs=8 PoolMem=4748404(2) FreeMem=4736284(0) HeapUsed=0
07:58:05 2199252mS RES5: CLog MemObjs=309 FreePoolMem(Objs)=5096(91) TotalMem=22400 StringsTotalMem=103600
07:58:06 2200263mS H323Evt: Recv GRQ from 192.168.2.50:49301
07:58:06 2200263mS H323Evt: e_H225_AliasAddress_dialedDigits alias
07:58:06 2200263mS H323Evt: found number <233>
07:58:09 2203859mS Sip: SIPDialog f193cbe8 deleted, dialogs 2 txn_keys 1
07:58:09 2203983mS Sip: SIPDialog f4f61848 deleted, dialogs 1 txn_keys 0
07:58:10 2204253mS RES: Tue 5/7/2022 07:58:09 FreeMem=54697040 Heap=54435920(6) Cache=261120 MemObjs=8718(Max 9980) CMMsg=4(5) ASN=0 Buff=5200 1359 1000 7443 5 Links=52591(52886) BTree=423(742) CB=6064 MCT=0 CPU=11.66% CPUStats=12.86%/1/3/2777/18585/2
2227/00.08%/0/02.38% MCR=0 MCW=0 DEV=0
07:58:10 2204253mS RES2: IP 500 V2 11.1.1.1.0 build 18 Tasks=54 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=11+58 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=1 SSA=1 TCP=25(TLS=8 OFF=0) TAPI=0 Partner=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
07:58:10 2204253mS RES4: XML MemObjs=8 PoolMem=4748404(2) FreeMem=4736284(0) HeapUsed=0
07:58:10 2204254mS RES5: CLog MemObjs=309 FreePoolMem(Objs)=5096(91) TotalMem=22400 StringsTotalMem=103600
07:58:11 2205621mS H323Evt: Recv GRQ from 192.168.2.50:49301
07:58:11 2205621mS H323Evt: e_H225_AliasAddress_dialedDigits alias
07:58:11 2205621mS H323Evt: found number <233>
07:58:16 2210622mS H323Evt: Recv GRQ from 192.168.2.50:49301
07:58:16 2210622mS H323Evt: e_H225_AliasAddress_dialedDigits alias
07:58:16 2210622mS H323Evt: found number <233>
07:58:16 2210755mS RES: Tue 5/7/2022 07:58:16 FreeMem=54696832 Heap=54435920(6) Cache=260912 MemObjs=8720(Max 9980) CMMsg=4(5) ASN=0 Buff=5200 1357 1000 7443 5 Links=52594(52886) BTree=423(742) CB=6064 MCT=0 CPU=09.98% CPUStats=08.27%/1/5/2777/19871/2
2227/00.08%/0/02.41% MCR=0 MCW=0 DEV=0
07:58:16 2210755mS RES2: IP 500 V2 11.1.1.1.0 build 18 Tasks=54 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=11+57 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=1 SSA=1 TCP=25(TLS=8 OFF=0) TAPI=0 Partner=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
07:58:16 2210755mS RES4: XML MemObjs=8 PoolMem=4748404(2) FreeMem=4736284(0) HeapUsed=0
07:58:16 2210755mS RES5: CLog MemObjs=309 FreePoolMem(Objs)=5096(91) TotalMem=22400 StringsTotalMem=103600

 

[kwing112000]

Sounds like the IPO does not have a IP route back to the network the phone is on.

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Vive Communications

 

[lleeNC]

Can you ping from the IPO to the phone and vice versa?

As kwing112000 mentioned, do you have a IP Route going back to the phone's VPN?

 

[tnestel]

I cannot ping either direction. I made an IP route, but I wonder if it's wrong. The phone in question is using 192.168.2.50 (or .51, 52 etc.)

The router at the home office is 2.1

I have changed the IP route a few times. Currently I have:

IP Address 192.168.0.0
GW 255.255.255.0
Gateway 192.168.2.1
Destination LAN1

I have also tried 192.168.2.50 as the first entry.

The home network is 1.1 and I have tried that too, with no luck.

 

[tnestel]

When I say "home office" I mean corporate office.
Home network is the user's home.

 

[nnaarrnn]

So the phone boots up on the home user's 192.168.1.x network and connects to HQ via built-in VPN. What is it connecting to, exactly? What terminates/authenticates the VPN? What gives DHCP to the VPN user(phone) after it authenticates?

What is the IP address of the phone? Does SSA show it as a connected extension?

My money is on routing isn't correct within whatever device the phone is VPN-connected to.

Typically your VPN phone would authenticate/connect to the firewall, which will have it's own DCHP scope for VPN users that's separate from the internal LAN(s). Then you have Access Policies in that firewall allowing addresses/ports from the VPN to whatever they're allowed to access.

 

[tnestel]

nnaarrnn, I appreciate the response. The phone boots up on the home network and connects to HQ via the built-in VPN. Corporate has a SonicWall SOHO 250 and I can see that the VPN is established and staying up. The home network is using 192.168.1.10 to establish the VPN.

The phone is getting DHCP from the SonicWall and has an IP address of 192.168.2.51.

I can see in Monitor that 192.168.2.51ort# is trying to register. Monitor says "found number <233>" and there is also an "RasMessage = gatekeeperConfirm"

I have an IP route in IPO from the home network, 1.0 to the IP address of the IPO, going to LAN 1.

 

[TouchToneTommy]

IP route in IP Office needs to be

192.168.2.0 (The remote worker's subnet)
255.255.255.0
192.168.1.X (IP address of the SonicWall on the Corp network)
LAN-1

 

[tnestel]

Changing the IP Route does not make a difference. Monitor is saying the same as it always has:

10:42:28 271603mS RasRx: v=IFace=LAN1, Src=192.168.2.51:49302, Dst=192.168.2.195:1719 peb=0

​

RasMessage = gatekeeperRequest

10:42:28 271603mS H323Evt: Recv GRQ from 192.168.2.51:49302
10:42:28 271604mS H323Evt: e_H225_AliasAddress_dialedDigits alias
10:42:28 271604mS H323Evt: found number <233>
10:42:28 271604mS RasTx: v=Src=192.168.2.195:1719, Dst=192.168.2.51:49302 peb=0
RasMessage = gatekeeperConfirm

 

[derfloh]

Src=192.168.2.51:49302, Dst=192.168.2.195:1719 peb=0


Sounds like if NAT is enabled in the tunnel. This should be disabled.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[tnestel]

NAT Traversal is not enabled. :-(

Someone else told me ports 1718, 1719, and 1720 need to be opened on the SonicWall. I either can't find how to do that or I lack the appropriate access level. Interested in knowing if you agree or disagree.

 

[TouchToneTommy]

It's an IPSec VPN, you don't have to open anything on the SonicWall.

 

[TheZCom]

Be sure that H.323 Transformations (VoIP section of Sonicwall config) is disabled.

 

[tnestel]

Thanks for all the suggestions. H.323 Transformations was disabled.
I'm out of ideas and called another company for help. They told me that they have never been successful with the VPN client and suggested a VPN appliance at both ends.
I'm happy to pay for help if anyone has any other ideas. Otherwise we'll be getting another SonicWall.

 

[derfloh]

NAT enabled? Firewall policies? Phase 2 wrong? Routing set from ipo to the VPN client?

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[tnestel]

Derfloh was able to complete the Sonicwall settings to get this phone workings. The Sonicwall needed a different DHCP pool for the phone and permissions for the traffic through the firewall had to be allowed. Obviously he could explain it better than I. Kudos to him!

 

[derfloh]

You’re welcome

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN