Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

1_xm3swl.jpg


I have not moved any further in the document as of now.

Thank you.

ACSS
 
@Travis Harper:

"You need your ASA guy to forward port 5060-5061TCP to the internal IP Address if the IPO"

Roger that, 192.168.1.251



"You will also need the ASA guy to forward the RTP range to the internal IP if the IP Office"

Would that be these ports?

RTP_tkqgdp.png




"You will also need the ports 80 and 443 forwarded add well. If you have checked “use preferred ports” the instead of 80 and 443 forward 411 and 8411."

I do not have "Use Preferred Phone Ports" Checked, so 80 and 443 forwarded to 192.168.1.251


ACSS
 
Yes, those are the RTP ports. You need that or you won't be able to send audio. Those are UDP not TCP.
Also, yes, if you are not using the preferred ports, then you need to forward 80 and 443 as well.

Good to go.

 
A couple of things to check.
What does the firewall trace reveal for port 5060, 5061 for sip registration?

What is your network topology set up as In IP Office?
Do you have your external IP Address configured in Network Topology
What type of NAT is selected?
Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.


 
@Travis Harper:

What does the firewall trace reveal for port 5060, 5061 for sip registration? I will find out from him


What is your network topology set up as In IP Office?

222_ny4gf1.jpg



Do you have your external IP Address configured in Network Topology Yes


What type of NAT is selected? Unknown


Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.

LAN_aizhuh.jpg


WAN_jamopo.jpg



ACSS
 
Hi @dsm600rr
please take screenshot of current configs before making changes so you can revert back if needed.
you need successful ping from 192.168.1.251 to 8.8.8.8
Also your Voice network and the data are both on the same network?
I made changes to some screenshot se below.... @Travis H - Pepp77 - JazzWizzard can you fact check.
My configs are similar hopefully that can help dsm600rr. I'm sending more screenshots tomorrow for the Cert and firewall.
dsm600r_nspadq.png

dsm600rr3_k5dbfs.png

this was already configured on my LAN 2 I just want to point this out... I didn't touch this so maybe adding a STUN server was necessary.
dsm23_lvfu4e.png
 
Looks good to me, but then again, I never use LAN2, so your setup is new to me.
To me, the issues you are facing are network related. Either with the IP route on the IP Office, or your Cisco ASA Firewall config.

We know the when IX Workplace is on the LAN it connected and works as expected.
We know that when IX Workplace is on LTE you can not connect.

I know that when I ping ix.pfcommunications.com I get:
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

So we know that DNS is resolving correctly, but there is network issue preventing the pings from replying.
It's not just pings, because when I browse to ix.pfcommunications.com, the browser can not find the server. So I know that port 80 and 443 are also not responding.

Again I have never used both LAN 1 and 2 in my configs, so its possible you have an IP Route problem there. Packet hitting the IPO on LAN 1, and being told to go out on LAN2 but can't.. or vice versa.

Does 192.168.1.1 have access out the ASA? I ask, because your SIP registrar settings appear to be setup on the LAN 1 interface, but your public IP appears to be setup on LAN 2. This setup may be valid for all I know.. I've just never done it this way.

I have everything configured on LAN 1, and My IP Route is 0.0.0.0/0.0.0.0 192.168.0.1 LAN1 which is my routers gateway address.






 
@Travis Harper

I apologize on the late reply and appreciate all your efforts! I have been moving since Monday and lets just say that was a major pain in the you know what.

I will try and explain my setup a bit better. I really would like to get this working.

LAN
This is where I am having IX Workplace Register.

This is also on the Data VLAN and Internal DNS Server VLAN.

This is also the same VLAN the ASA is handing out DHCP for the PC's as well as for IX Workplace.

The ASA has a Public IP of: 173.XXX.XXX.209

I have the Network Topology for the IPO to: 173.XXX.XXX.210

1_bid22o.jpg


2_noac76.jpg


3_jyemz0.jpg


4_ft1cdm.jpg



WAN

This is the Voice VLAN. I have the IPO acting as the DHCP Server for my J179's / Vantage Phones. I also have a SIP Trunk coming in on this VLAN.

The SIP Trunk I have using the Public IP Address of the ASA.

10_zgzp5b.jpg


11_akorpc.jpg


12_fkzthw.jpg


13_os8axr.jpg


14_ntpu2a.jpg



The thing that is getting me is when I ping Google out the LAN (Data VLAN) on the PBX, it shows it using the WAN (Voice VLAN)

55_elyzev.jpg








ACSS
 
I am not a networking expert, but I would say the problem is:
Workplace is registering to the LAN 1 Interface, but the LAN 1 topology public IP address ends in 210, which is different than what the CISCO ASA public interface is.

In my feeble brain, I would think the NAT rules need to be LAN private to CISCO Public SIP.

Travis
 
@Travis Harper

I changed LAN 1 Network Topology to the ASA and re-did the ping - Still tried to go out the Voice VLAN :|



ACSS
 
when I ping it, its still ping ix.pfcommunications.com
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes

Your CISCO ASA ends in 209.

At the end of the day, you will never get workplace to register from outside the network if you can't point the public interface 173.162.40.210 to 172.30.20.1, and the ASA has do that NAT translation.

When you can open in your browser, you're on the right track.

Curious, what happens if you open in a browser. <- you Cisco SIP interface from screenshot above.

Travis
 
@dsm600rr

External name resolution:
ix.pf.communications.com resolves to => 104.247.82.52

Internal name resolution:
ix.pf.communications.com resolves to -> 192.168.1.251
+++++++++++++++++++++++
On LAN 1 under network topology change the Public IP to 104.247.82.52
 
@Sparrow4

its: ix.pfcommunications.com - You have one extra period after pf

ACSS
 
@dsm600rr I realize that now. Do you also own the ix.pf.communications.com? I don't think that it matters at this point. Also my DHCP is configured under LAN 1. Yours is under LAN 2. Was it always like this? If @ Travis and you are ok we can clear the IPO config one last time this morning and Monday all you'll have to do is make changes with your Firewall Tech.
 
Hello All. Just wanted to update this thread.

So I ended up moving everything that needs to get out to the internet over to our Data VLAN: 192.168.1.XXX (LAN)

That includes the SIP Trunk, Stuff for IX, Static Public IP and what not. This also is the IP Route out.

On the Voice VLAN: 172.30.20.XXX I have my internal phones and IPO DHCP Server Only (WAN).

After doing so, everything is working now. Certificates are both good on my iPhone and Home PC's

Thanks for all the help Gents. This was a long learning experience with Certificates, FQDN's, Split DNS and the list goes on!

ACSS
 
Noticing alot of this:


TLS_Error_1_zb8p8m.jpg



TLS_Error_2_k6prgp.jpg



Rather than some of these hits being temporary blocked, can they be permanently blocked after a certain amount of hits?


Thoughts.

ACSS
 
Yes, you can, sort of, at least as it applied to SIP.
It's not easy, and takes some trial and error.

Log into the IP Office edit the NoUser.
Add a couple SourceNubers. ( change the limit to your own value - Trial and error )
1. B_RATE_HIGH_LIMIT=20
2. B_RATE_HIGH_THRESH=2000

Sip messages that exceed the high limit over the time threshold limit will be permanently blocked until you manually remove the bock using the Monitor application.

Excessive SIP Traffic Blacklisting
IP address blacklisting can be applied when the number of SIP messages (all types) from the same address exceeds a set rate. The default rate is 100,000 messages in 100 milliseconds. Unlike the options above, this blacklisting can only be manually removed.

oThe following NoUser source numbers can be used to alter the use of SIP traffic blacklisting:

▪B_RATE_HIGH_LIMIT=X where X is the number of SIP messages allowed within the time threshold. Default = 500, minimum = 1, maximum = 100,000.

▪B_RATE_HIGH_THRESH=Y where Y is the time threshold in milliseconds. Default = 100, minimum = 100, Maximum = 300,000 (5 minutes).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top