Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

[dsm600rr]

Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

https://files.engineering.com/getfi...-b94e-c42db992ca0e&file=sip_extensions_en.pdf

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

I have not moved any further in the document as of now.

Thank you.

ACSS

 

[dsm600rr]

@Travis Harper:

"You need your ASA guy to forward port 5060-5061TCP to the internal IP Address if the IPO"

Roger that, 192.168.1.251



"You will also need the ASA guy to forward the RTP range to the internal IP if the IP Office"

Would that be these ports?

"You will also need the ports 80 and 443 forwarded add well. If you have checked “use preferred ports” the instead of 80 and 443 forward 411 and 8411."

I do not have "Use Preferred Phone Ports" Checked, so 80 and 443 forwarded to 192.168.1.251


ACSS

 

[Travis Harper]

Yes, those are the RTP ports. You need that or you won't be able to send audio. Those are UDP not TCP.
Also, yes, if you are not using the preferred ports, then you need to forward 80 and 443 as well.

Good to go.

 

[dsm600rr]

From my Firewall Guy:

ACSS

 

[Travis Harper]

A couple of things to check.
What does the firewall trace reveal for port 5060, 5061 for sip registration?

What is your network topology set up as In IP Office?
Do you have your external IP Address configured in Network Topology
What type of NAT is selected?
Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.

 

[dsm600rr]

@Travis Harper:

What does the firewall trace reveal for port 5060, 5061 for sip registration? I will find out from him


What is your network topology set up as In IP Office?

Do you have your external IP Address configured in Network Topology Yes


What type of NAT is selected? Unknown


Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.

ACSS

 

[Sparrow4]

Hi @dsm600rr
please take screenshot of current configs before making changes so you can revert back if needed.
you need successful ping from 192.168.1.251 to 8.8.8.8
Also your Voice network and the data are both on the same network?
I made changes to some screenshot se below.... @Travis H - Pepp77 - JazzWizzard can you fact check.
My configs are similar hopefully that can help dsm600rr. I'm sending more screenshots tomorrow for the Cert and firewall.

this was already configured on my LAN 2 I just want to point this out... I didn't touch this so maybe adding a STUN server was necessary.

 

[Sparrow4]

 

[Travis Harper]

Looks good to me, but then again, I never use LAN2, so your setup is new to me.
To me, the issues you are facing are network related. Either with the IP route on the IP Office, or your Cisco ASA Firewall config.

We know the when IX Workplace is on the LAN it connected and works as expected.
We know that when IX Workplace is on LTE you can not connect.

I know that when I ping ix.pfcommunications.com I get:
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

So we know that DNS is resolving correctly, but there is network issue preventing the pings from replying.
It's not just pings, because when I browse to ix.pfcommunications.com, the browser can not find the server. So I know that port 80 and 443 are also not responding.

Again I have never used both LAN 1 and 2 in my configs, so its possible you have an IP Route problem there. Packet hitting the IPO on LAN 1, and being told to go out on LAN2 but can't.. or vice versa.

Does 192.168.1.1 have access out the ASA? I ask, because your SIP registrar settings appear to be setup on the LAN 1 interface, but your public IP appears to be setup on LAN 2. This setup may be valid for all I know.. I've just never done it this way.

I have everything configured on LAN 1, and My IP Route is 0.0.0.0/0.0.0.0 192.168.0.1 LAN1 which is my routers gateway address.

 

[dsm600rr]

@Travis Harper

I apologize on the late reply and appreciate all your efforts! I have been moving since Monday and lets just say that was a major pain in the you know what.

I will try and explain my setup a bit better. I really would like to get this working.

LAN
This is where I am having IX Workplace Register.

This is also on the Data VLAN and Internal DNS Server VLAN.

This is also the same VLAN the ASA is handing out DHCP for the PC's as well as for IX Workplace.

The ASA has a Public IP of: 173.XXX.XXX.209

I have the Network Topology for the IPO to: 173.XXX.XXX.210

WAN

This is the Voice VLAN. I have the IPO acting as the DHCP Server for my J179's / Vantage Phones. I also have a SIP Trunk coming in on this VLAN.

The SIP Trunk I have using the Public IP Address of the ASA.

The thing that is getting me is when I ping Google out the LAN (Data VLAN) on the PBX, it shows it using the WAN (Voice VLAN)

ACSS

 

[Travis Harper]

I am not a networking expert, but I would say the problem is:
Workplace is registering to the LAN 1 Interface, but the LAN 1 topology public IP address ends in 210, which is different than what the CISCO ASA public interface is.

In my feeble brain, I would think the NAT rules need to be LAN private to CISCO Public SIP.

Travis

 

[dsm600rr]

@Travis Harper

I changed LAN 1 Network Topology to the ASA and re-did the ping - Still tried to go out the Voice VLAN :|



ACSS

 

[Travis Harper]

when I ping it, its still ping ix.pfcommunications.com
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes

Your CISCO ASA ends in 209.

At the end of the day, you will never get workplace to register from outside the network if you can't point the public interface 173.162.40.210 to 172.30.20.1, and the ASA has do that NAT translation.

When you can open

http://173.162.40.210/46xxsettings.txt

in your browser, you're on the right track.

Curious, what happens if you open

http://x.x.x209/46xxsettings.txt

in a browser. <- you Cisco SIP interface from screenshot above.

Travis

 

[dsm600rr]

@Travis Harper

I switched it back to 173.162.40.210 after the Ping Test Still went out the Voice VLAN when pinging from the Data VLAN

http://173.162.40.210/46xxsettings.txt

internally times out.

ACSS

 

[Sparrow4]

@dsm600rr

External name resolution:
ix.pf.communications.com resolves to => 104.247.82.52

Internal name resolution:
ix.pf.communications.com resolves to -> 192.168.1.251
+++++++++++++++++++++++
On LAN 1 under network topology change the Public IP to 104.247.82.52

 

[dsm600rr]

@Sparrow4

its: ix.pfcommunications.com - You have one extra period after pf

ACSS

 

[Sparrow4]

@dsm600rr I realize that now. Do you also own the ix.pf.communications.com? I don't think that it matters at this point. Also my DHCP is configured under LAN 1. Yours is under LAN 2. Was it always like this? If @ Travis and you are ok we can clear the IPO config one last time this morning and Monday all you'll have to do is make changes with your Firewall Tech.

 

[dsm600rr]

Hello All. Just wanted to update this thread.

So I ended up moving everything that needs to get out to the internet over to our Data VLAN: 192.168.1.XXX (LAN)

That includes the SIP Trunk, Stuff for IX, Static Public IP and what not. This also is the IP Route out.

On the Voice VLAN: 172.30.20.XXX I have my internal phones and IPO DHCP Server Only (WAN).

After doing so, everything is working now. Certificates are both good on my iPhone and Home PC's

Thanks for all the help Gents. This was a long learning experience with Certificates, FQDN's, Split DNS and the list goes on!

ACSS

 

[Travis Harper]

Glad to hear it! Yes, this thread was quite a ride for sure.

 

[dsm600rr]

Noticing alot of this:

Rather than some of these hits being temporary blocked, can they be permanently blocked after a certain amount of hits?


Thoughts.

ACSS

 

[Travis Harper]

Yes, you can, sort of, at least as it applied to SIP.
It's not easy, and takes some trial and error.

Log into the IP Office edit the NoUser.
Add a couple SourceNubers. ( change the limit to your own value - Trial and error )
1. B_RATE_HIGH_LIMIT=20
2. B_RATE_HIGH_THRESH=2000

Sip messages that exceed the high limit over the time threshold limit will be permanently blocked until you manually remove the bock using the Monitor application.

Excessive SIP Traffic Blacklisting
IP address blacklisting can be applied when the number of SIP messages (all types) from the same address exceeds a set rate. The default rate is 100,000 messages in 100 milliseconds. Unlike the options above, this blacklisting can only be manually removed.

oThe following NoUser source numbers can be used to alter the use of SIP traffic blacklisting:

▪B_RATE_HIGH_LIMIT=X where X is the number of SIP messages allowed within the time threshold. Default = 500, minimum = 1, maximum = 100,000.

▪B_RATE_HIGH_THRESH=Y where Y is the time threshold in milliseconds. Default = 100, minimum = 100, Maximum = 300,000 (5 minutes).