Avaya IP Office Ports issue from Firewall logs

[chadphoneguy]

Hey guys. I have a strange Avaya IP Office question here. I have 2 locations that we put in Avaya IP Office some 4 years ago or so. They are running 7.0.23. The old VPN routers that the previous I.T. guy had in there crapped out, so a new I.T. guy put in new Watchguard Firebox Firewall VPN routers. Which is great because they were having issues before that seem to have cleared up. We are running G729 codec. And "allow direct media path" is unchecked on both sides. The cutting in and out and chatter seems to have gone away. The I.T. guy has sent me a log from the Firebox asking what some ports are that keep requesting access, and the port numbers just keep changing going up 1 port number at a time and requesting access over and over. Below is an attachment showing the log. You'll see the ports in this log start at 9215 and go up to 9228 in this snapshot of the log. These ports are not ports that the IP office uses that I can find anywhere, so he has them blocked. But they continue to ask for access and junks up the logs continuously, which annoys the I.T. guy. The only things on this VPN network are The IPO #1 location which is Lan IP 10.101.10.12 and the IPO #2 location which is Lan IP 192.168.1.253, as well as the IPO VM Pro PC which also has the IPO programming software on it and is Lan IP 10.101.10.11. Any idea what these ports are? Also, the weird thing is the network that the IPO is on is subnet 255.255.255.0 and the requests from those ports are coming from 255.255.255.255, different subnet completely. Any help is appreciated. Thank you.

 

[nnaarrnn]

the requests aren't coming from a different subnet, they're coming from a single host (255.255.255.255).

Does your SCN work completely and 100%?

What is defining "0-AvayaMGTBridge

 

[chadphoneguy]

Yes the SCN is working completely and 100% so far as we can tell. This is a high school and grade school though, so we may get different reports once school starts. But right now the staff in house is saying it's working great.

It's just the Logs from the firebox that are getting constantly junked up with these requests. So the I.T. guy wanted to try and eliminate this, that way if we ever have to search through the logs for something in the future, we don't have to sift through all the junk in there.

 

[intrigrant]

Use wireshark to see what kind of requests they are, now it is shooting in the dark

 

[chadphoneguy]

Oh, I forgot to answer your 2nd question... The "AvayaMGTBridge" is just the name that the I.T. guy named something on the firewall when he set it up.
And to go a little deeper on this:
if you click on the screen shot on my original post, look at each line left to right. The I.T. guy said the 1st IP address that is the one requesting to communicate from that port or to that port 9215 and so on, each time going up one port at a time 9216, 9217, etc. etc. And the 2nd IP address the 255.255.255.255 is what the 1st IP address is presenting the request to communicate with.
So knowing that the 1st IP address which is the 10.101.10.12 is the IP address of the main sites Avaya IP Office control unit, it appears the request to jump subnets with those ports is coming from the IP Office.
I'm no I.T. guy though, so I could be wrong.
Any thoughts?

 

[derfloh]

IPO sends broadcast request searching for available TFTP servers. Check you IPO system settings and configure an available TFTP server. Either a Manager PC with TFTP enabled or another TFTP server.

If it is an IP500V2 or a V1 with compact flash card you can set it's IP address as TFTP server or just set "Memory Card" as file server.

The source port can vary as you see.

Do you have configured to use a WAV file as holdmusic but there is no one available? Question is why IPO asks all day longs for an available TFTP server.

You can also start SysMon with TFTP filter enabled and watch what is going on.