9621 wrong set type and VPN not allowed 3

[critchey]

I am trying to help a customer with VPN 9621 phones on R9.1.12. Customer was on R9.1.6 at first so we upgraded. We upgraded the H323 firmware to R9.1.12's firmware version. Phone seems to connect over VPN properly but when it tries to register it gets an error stating that VPN is not allowed and displays wrong set type. I have checked that the extensions we are using are not in use by digital extensions. I even went as far as to remake the config from scratch thinking there was some kind of corruption on the config. The phones work just fine when plugged in locally. I logged into the firewall myself (Sonicwall) and made sure that H323 transformations was turned off.

I am not sure what else to check at this point. I had read that in older versions there was a spot under the extension to enable and disable VPN but if I try to import in my config to an older release it errors out. I am guessing there is something wrong in the VPN but I have no idea what would cause it do this sadly. Any suggestions or help would be greatly appreciated.

The truth is just an excuse for lack of imagination.

 

[telecomtekperson]

Is the traffic coming from a LAN IP? Does the system thinks its through NAT, which would require remote worker?

 

[critchey]

The VPN comes up and establishes with the phone system correctly(according to the firewall guy). The IP addresses look correct to me. I see no evidence in monitor that it sees NAT (have seen that particular error before).

The truth is just an excuse for lack of imagination.

 

[janni78]

You usually get "Wrong set type" the extension you're trying to login as isn't a H.323 extension in IP Office.

A Monitor trace should also give a good indication on why it's failing.

"Trying is the first step to failure..." - Homer

 

[critchey]

Yes I know that the wrong set type is typically the extension is not a H323 extension but this is NOT the case. I have recreated extensions and created new extensions till I was blue in the face with no change. The monitor trace does not reveal any new information. It confirms that the phone is the wrong set type and VPN is not allowed nothing else of relevance. Next time I can get into the system and run a trace I will post it here.

The truth is just an excuse for lack of imagination.

 

[critchey]

So I think I may know why this is happening but I would love to get some feedback:

The system has 61 licenses and all licenses are instance 1 or 255... like 255 Voicemail Pro channels for instance. System status shows he has "unlimited" IP Endpoint licenses... It also has a "unknown" license and a "???" license along with some very old and odd licenses (1600 Series Phone for example). This leads me to believe it is some kind of demo system.

My main question would be would a demo system allow you to use VPN phones?
Could these odd licenses be causing the issue (hoping the answer is yes lol)?

The truth is just an excuse for lack of imagination.

 

[critchey]

Included a picture of the extension so you can see it is in fact a H323. Included a monitor trace as well.

The truth is just an excuse for lack of imagination.

 

[critchey]

There are also some odd mentions of Definity in the trace like this:

69722430mS CMExtnEvt: v=(null) State, new=Idle old=Idle,0,0,XXXX: DSS Emulation DefinityCPark Key Pressed 5

or this

authenticationMode = pwdSymEnc
tokens = { 1 item(s)
[0] = {
tokenOID = 0.0
timeStamp = 69893704
random = 2292
generalID =
0044 0045 0046 0049 004e 0049 0054 0059 DEFINITY

The truth is just an excuse for lack of imagination.

 

[janni78]

69893830mS H323Evt: Recv: RegistrationRequest X.X.X.X; Endpoints registered: 0; Endpoints in registration: 0
69893830mS H323Evt: e_H225_AliasAddress_dialedDigits alias
69893831mS H323Evt: found number <1599>
69893831mS H323Evt: RRQ --- CallSigProtocol is H323AnnexL_P. Go for Avaya VPN phone
69893831mS H323Evt: RRQ --- Extn(1599) VPN phones not allowed

What licenses does the system have?

"Trying is the first step to failure..." - Homer

 

[critchey]

For IP endpoints licenses manager has it listed as instances 255(ADI) and system status shows his IP Endpoints as "unlimited". As stated earlier he also has some weird licenses like "???" and "unknown" along with some very old licenses. All instances are either 255 or 1 including say VM Pro ports where the max is 40.

The truth is just an excuse for lack of imagination.

 

[janni78]

Apparently there were an unlimited endpoint license once a long time ago.

There also is a Russian license which disables VPN but he shouldn't have that I assume.
If it was ever installed on the chassis it has to be replaced for VPN to work.

"Trying is the first step to failure..." - Homer

 

[critchey]

Thank you janni78. I wonder if maybe the ??? or unknown license could be that or that license could of been installed at one point since this system has a crazy amount of licenses for the company size.

At the very least it does point me towards what I was thinking before that something with the licenses is causing the issue.

The truth is just an excuse for lack of imagination.

 

[critchey]

Just wanted to post that the customer did in fact have a Russian license causing the issue. He bought a new IP 500 V2, he only imported the specific licenses he was using, and phones VPN'ed without issue without making any other changes. Thanks janni78 that is something I probably would of never found without your help. If I could pink you twice I would!

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: I gave him some pink for you. I would of never guessed that in a million years.

ACSS

 

[derfloh]

I knew about the Russian/Chinese license but I never saw one.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN