Avaya SCN over IPSEC VPN

[rosenbaaron]

All,

Last week our firewall died. As a work-around until I purchase a new firewall I terminated a IPSEC tunnel and a checkpoint edge firewall. After tweaking it, I now have a tunnel that drops no packets. My problem is that the SCN is no longer working, and I have searched all of threads pertaining to this. Before the firewall crash, I terminated each end with a checkpoint firewall and it has been up for the past year, now the connections show idle, but the SCN is no longer working. I can also call out that box through the H323 line so there is connectivity. This is what I get from the monitor. Has anyone been succesful terminating a cisco router 2821, and getting SCN to work. Both IP Offices are running the correct version, and there has been no changes to either one. Is their a setting I missing on the cisco router? I have disabled NAT and firewall rules.

48174916mS PRN: VPNNetworkedPBX::Receive Too many RIPs received (15) sent from 10.8.0.50
48174916mS PRN: VPNN: PBX 10.8.0.50 Not Responding - error code 3
48174916mS PRN: VPNN: PBX 10.8.0.50 Not Responding or Reset AU=0

 

[intrigrant]

You need these ports to be open for SCN connections:
833 Network Relay UDP Network relay.
49152-53247 RTP/RTCP UDP Dynamically allocated ports used during VoIP calls for RTP and RTCP traffic. The port range can be adjusted through the System | LAN1 | VoIP tab
50795 IPO Voice Networking UDP Small Community Network signalling (AVRIP) and BLF updates. Each system does a broadcast every 30 seconds. BLF updates are sent required up a maximum of every 0.5 seconds.


A simple mind delivers great solutions

 

[rosenbaaron]

Is it enough to permit IP traffic, or is there more configuration that needs to be done on the router? I have disabled firewall policy on the check point as well..

 

[intrigrant]

If you are sure all traffic is allowed through the tunnel then there is nothing more you can do but since it doesn't work I think not all traffic is allowed.

A simple mind delivers great solutions

 

[tlpeter]

Does the new router has the same IPaddress as the old router?
It seems like the IPO's cannot find each other and then it fails.
It could be ports blocked (like Intrigrant already mentioned) but also bad routing.


BAZINGA!

I'm not insane, my mother had me tested!

 

[rosenbaaron]

Well it connects the same networks. I added an exception in the firewall that seems to improve its connectivity. There was supposed to be no firewall policy applied to that traffic but it looks like some still were.

 

[rosenbaaron]

Thanks, it hasn't gone down and I have modified the firewall policy.

 

[RingTHIS]

Rosen,
I am having a nightmare of a time with a check point firewall and SCN. Can you post the the policy change that you made?

Thank you.

 

[rosenbaaron]

RingTHIS,

I have an open support call. I have three sites that are working and one that isn't. One day it magically came up with out pushing policy. Do you know which version you are running?


Aaron

 

[RingTHIS]

I do not. I am trying to bring in our data team to do a conference call with their firewall guy to resolve this monster. It was supposed to be a simple 4 phone install and it has consumed my existence the last two weeks. I really need to get it resolved. After our conference call, I'll re-post if anything changes. Thanks for quick reply.

Jim