9620 with Sonic Wall TZ 200

[nurban]

It amazes me that we we can set up one site with VPN phones in about 30 minutes, then you run across sites that take hours of tweaking, head scratching, and pure frustration...

With that said, we've been trying to get a remote phone up and running for the past few days.

The VPN tunnel builds successfully; however, the phone stays in Discover XXX.XXX.XXX.XXX mode indefinitely. We know there has to be an issue with the access rules on the SonicWall, but no matter what we've tried appears to work.

Current settings:
IPO - 192.168.250.7
VM Pro/Manager - 192.168.250.8
IP Route - 0.0.0.0/255.255.255.0/192.168.250.1/LAN 1

The SonicWall is on the latest firmware, and we've built access rules to allow any traffic from the VPN to the LAN and vice versa.

Once the tunnel is established, the log shows:
VPN Policy: WAN GroupVPN; ESP:3DES;
HMAC_SHA1; Group 2; Lifetime=28800 s
ecs; inSPI:0xb0692ca3; outSPI:0x3f26
1c4a

Tunnel Up. policy 0(WAN GroupVPN), D
st 192.168.7.110 - 192.168.7.110, Sr
c 192.168.250.0 - 192.168.250.255, G
W XXX.167.194.YYY, inSpi 0xb0692ca3,
Reason: IPSec Commit SA. Existed ds
tNode (Our public IP blocked out intentionally)


192.168.7.110 is the local IP for the phone on our network.

Does anyone have any thoughts as to what might be missing?

 

[kwing112000]

you could try adding a route in the IPO like

192.168.7.0
255.255.255.0
192.168.250.1 if this is the sonicwall
LAN1

see if it helps


Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[nurban]

I did add it - the 0.0.0.0 entry should cover it...

And I'm still getting the same response.

The VPN Tunnel Builds, and the phone stays in Discover 192.168.250.7

 

[amriddle01]

The mask also needs to be 0.0.0.0 for a 0.0.0.0 route, otherwise you are only routing networks that actually start 0.0.0.x which isn't even possible

http://www.ipoffice.tel

 

[hairlessupportmonkey]

indeed - or as kevin suggested a specific route should also work

ACSS - SME
General Geek

 

[kwing112000]

ah sorry missed 255.255.255.0 in the default route.

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[nurban]

I did try that... and am still getting the Discover screen once it starts looking for the Call Server.

I am, however, getting the -1 response when the system looks for the HTTP and HTTPS files - before i was getting a -905 response.

Really leaning towards the routing in the SonicWall - but what's odd is when the computers connect to it they can access the network (in the same subnet the IPO is on) without any issues.

 

[amriddle01]

Computers connecting to the network use different, more common and fewer ports than IP handsets do which is why the trouble starts, btw Sonicwalls ALWAYS casue trouble...always

http://www.ipoffice.tel

 

[mojoputter]

Nurban, let us know if you got this working. We attempted the same thing about 6 months ago and never got it working. Very frustrating

 

[hairlessupportmonkey]

is the phone set to config mode in the vpn settings?
also set the protected nets on the phone to 0.0.0.0/0

ACSS - SME
General Geek

 

[nurban]

Protected nets 0.0.0.0/0 doesn't work - the VPN tunnel fails at IKE Phase 2.

Protected net 192.168.250.0/24 does work for establishing the VPN but I'm still stuck at the same point.

 

[TheZCom]

I worked with a late-gen sonicwall and 9620 VPN set recently and came across something strange--Once I set the IPSec DH Group setting to 'None,' the phone finally connected properly. I can't explain why the set did not want to work with the sonicwall when the sonicwall IPSec parameters set to '2' (for example) and the phone set to DH Group 2 in the IPSec settings.

I thought this might be worth mentioning...
Z

 

[nurban]

Unfortunately, the TZ200 doesn't have an option for None...

 

[tlpeter]

I think TheZCom means setting it to None on the phone.


BAZINGA!

I'm not insane, my mother had me tested!

 

[nurban]

So... On a recommendation, we just got a Netgear 336G, and believe it or not, we're having the exact same issue as with the SonicWall.

Any ideas? Next step looks to be to try another phone, but we have a strong feeling we'll get the same result.

 

[nurban]

Tlpeter - I saw a post of yours on Avaya's support forum...

"I have succesfully connected a 9650 and 9620 to a netgear fvx 336."

Do you have a few minutes to share some insight? Spent about 3 hours today with the friendly folks at Netgear, trying almost every combination...

 

[tlpeter]

Use this doc and follow it by the letter.

http://marketingtools.avaya.com/kno...edProjects/bulletins/techtips/184_techtip.htm

This is how i do it on a Netgear.
If you do not succeed then let me know.


BAZINGA!

I'm not insane, my mother had me tested!

 

[TheSmash]

Bit late to this one but do you have this option checked within the configuration of the VPN on the Sonicwall?

Set Default Route as this Gateway

I think I had the same symptom until I checked this.

ACSS (SME)

One of these days everything will work as it should, and then we'll all be out of a job!

 

[nurban]

After a lot of "Play" time, the phone is up and running with a few computers sharing the GroupVPN connection as well.

It turns out that all of the settings were correct, Phone, IPO, and TZ200. For some reason there is either a rule in that router blocking traffic from our LAN (Gateway is a Nortel BSR222), or there's a setting in our in-house router blocking VPN Traffic.

We've been able to connect to a bunch of other clients systems using VPN phones, but that network just doesn't seem to like us! Still haven't gone through the TZ200 to see if there is a rule blocking our LAN, but that's where we're leaning. Their network is a 192.168.250.X, ours is a 192.168.7.X. No problem with connections from a 10.1.10.X or a 192.168.1.X

Thanks all for your input... now to configure the FVS336 for VPN phones and to replace our BSR222...

 

[Trems]

nurban, did you ever get the 9620 to hook up through the tz200? If so can you post your settings? I have am having issue with it myself.