Hi I have spent hours on trying to get an Avaya 9620L phone working to an IP office system. The VPn gets built fine but the Call server cannot be found and I get Discover 192.168.50.2 which is the internal address of the IP office. It just sits there, the documentation from Avaya is really poor and also very old. Has anybody managed to get this working.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco Router and Avaya 9620L VPN
- Thread starter Issyp
- Start date
- Thread starter
- #3
hairlessupportmonkey
IS-IT--Management
can you ping the phone from a pc using the same gateway?
I had the same issue recently, and I set the protected network on the handset to 0.0.0.0/0 not 0.0.0.0/24 or such like
ACSS - SME
General Geek
I had the same issue recently, and I set the protected network on the handset to 0.0.0.0/0 not 0.0.0.0/24 or such like
ACSS - SME
General Geek
- Thread starter
- #5
Hi the ip protected on the phone was 0.0.0.0/0 The router cant see the phone but then I expect that as it is in the VPN. I will plug another PC into the second router tommorrow and see if that can see. thanks for your help. It must be a VPN issue as you say but I have follwoed the documentation all beit for the CM and a slightly different router.
inet33
IS-IT--Management
- Mar 24, 2011
- 23
- 0
- 0
I'm having a smiliar issue with the configuration of the 9620L phone as well. But I can't even build the tunnel.
I'm following the guide by Avaya and no dice. I've tried it on a Cisco 2811 and a Cisco 871. Both fails.
This is a brand new Cisco config, and I've tried the Cisco VPN client and it attaches and pings the IPO 500 fine.
When connecting I get the following after the phone tries to establish a tunnel:
VPN tunnel failure
(then when I press Details)
Invalid configuration
Anyone have any ideas?
I'm following the guide by Avaya and no dice. I've tried it on a Cisco 2811 and a Cisco 871. Both fails.
This is a brand new Cisco config, and I've tried the Cisco VPN client and it attaches and pings the IPO 500 fine.
When connecting I get the following after the phone tries to establish a tunnel:
VPN tunnel failure
(then when I press Details)
Invalid configuration
Anyone have any ideas?
amriddle01
Programmer
I have found that the best solution is to take away the VPN from the phone and use two routers instead, that way you can also remotely manage the VPN for the user, you can give them cheaper 16xx's if you want and it tends to be much easier, not so good if they are always on the move with the handset though 
inet33
IS-IT--Management
- Mar 24, 2011
- 23
- 0
- 0
That's one possible solution, but it just would be cleaner to ship out a phone than a whole mess of wires and explaining.
Oh looks like I linked the wrong document above, I meant to link this avaya document:
I followed the instructions to the teeth with no luck
Oh looks like I linked the wrong document above, I meant to link this avaya document:
I followed the instructions to the teeth with no luck
- Thread starter
- #10
Hi I am really stuck now. I get a connection on the VPN and the phone sits there with Discover 192.168.50.2 which is the internal address of the IP office. Is there a routing issue with this config. I cant see it for the life of me.
Using 4552 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RVINTERNET2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXX
enable password XXXXXX
!
aaa new-model
!
!
aaa authentication login groupauthor local
aaa authentication login userauthen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.1 192.168.50.100
!
ip dhcp pool Private
import all
network 192.168.50.0 255.255.255.0
domain-name RyanVentura.com
dns-server 194.72.0.98
default-router 192.168.50.1
option 150 ip 192.168.50.2
option 242 ascii "MCIPADD=192.168.50.2,MCPORT=1719,TLSSRVR=192.168.50.2,HTTPS
RVR=192.168.50.4"
option 176 ascii "MCIPADD=192.168.50.2,MCPORT=1719,TLSSRVR=192.168.50.2,HTTPS
RVR=192.168.50.4"
lease infinite
!
!
ip cef
ip domain name yourdomain.com
ip name-server 62.24.128.17
ip name-server 62.24.128.18
!
!
crypto pki trustpoint TP-self-signed-3405674095
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3405674095
revocation-check none
rsakeypair TP-self-signed-3405674095
!
!
crypto pki certificate chain TP-self-signed-3405674095
certificate self-signed 01 nvram:IOS-Self-Sig#350A.cer
username Arsenal privilege 15 secret 5 $1$RLix$8FgYa6HelI8AeKA7sbvVr1
username testphone2 password 0 vpnpass
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group groupauthor
key vpnvpn
pool ippool
pfs
crypto isakmp profile ciscocp-ike-profile-1
match identity group groupauthor
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto dynamic-map dynmap2 20
set transform-set myset2
set pfs group2
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp dynamic dynmap2
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address XXXXXXXXXXXXXX 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXX
ppp chap password 0 XXXXX
crypto map clientmap
!
ip local pool ippool 10.10.10.20 10.10.10.50
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.50.2 5060 interface Dialer0 5060
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0
password XXXXXXXXXX
transport input telnet ssh
line vty 1 4
access-class 23 in
privilege level 15
password XXXXXXXXX
transport input telnet ssh
!
scheduler max-task-time 5000
end
Using 4552 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RVINTERNET2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXX
enable password XXXXXX
!
aaa new-model
!
!
aaa authentication login groupauthor local
aaa authentication login userauthen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.1 192.168.50.100
!
ip dhcp pool Private
import all
network 192.168.50.0 255.255.255.0
domain-name RyanVentura.com
dns-server 194.72.0.98
default-router 192.168.50.1
option 150 ip 192.168.50.2
option 242 ascii "MCIPADD=192.168.50.2,MCPORT=1719,TLSSRVR=192.168.50.2,HTTPS
RVR=192.168.50.4"
option 176 ascii "MCIPADD=192.168.50.2,MCPORT=1719,TLSSRVR=192.168.50.2,HTTPS
RVR=192.168.50.4"
lease infinite
!
!
ip cef
ip domain name yourdomain.com
ip name-server 62.24.128.17
ip name-server 62.24.128.18
!
!
crypto pki trustpoint TP-self-signed-3405674095
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3405674095
revocation-check none
rsakeypair TP-self-signed-3405674095
!
!
crypto pki certificate chain TP-self-signed-3405674095
certificate self-signed 01 nvram:IOS-Self-Sig#350A.cer
username Arsenal privilege 15 secret 5 $1$RLix$8FgYa6HelI8AeKA7sbvVr1
username testphone2 password 0 vpnpass
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group groupauthor
key vpnvpn
pool ippool
pfs
crypto isakmp profile ciscocp-ike-profile-1
match identity group groupauthor
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto dynamic-map dynmap2 20
set transform-set myset2
set pfs group2
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp dynamic dynmap2
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address XXXXXXXXXXXXXX 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXX
ppp chap password 0 XXXXX
crypto map clientmap
!
ip local pool ippool 10.10.10.20 10.10.10.50
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.50.2 5060 interface Dialer0 5060
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0
password XXXXXXXXXX
transport input telnet ssh
line vty 1 4
access-class 23 in
privilege level 15
password XXXXXXXXX
transport input telnet ssh
!
scheduler max-task-time 5000
end
hairlessupportmonkey
IS-IT--Management
if correct - you are using 10.10.10.x for the VPN DHCP pool, but I dont see a NAT rule to deny 10.10.10.x traffic on the local network?
ACSS - SME
General Geek
ACSS - SME
General Geek
inet33
IS-IT--Management
- Mar 24, 2011
- 23
- 0
- 0
What does it say when you do a sh ip route and sh crypto session detail?
Try using a VPN client on your computer to establish a connection. Then try to see if you can ping the 192.168.50.2 address.
Those were what I did when trying to figure out where it went wrong.
Try using a VPN client on your computer to establish a connection. Then try to see if you can ping the 192.168.50.2 address.
Those were what I did when trying to figure out where it went wrong.
hairlessupportmonkey
IS-IT--Management
and start the logging on the ASA - its very comprehensive and watch what happens when the vpn connects and traffic attempts to route....
ACSS - SME
General Geek
ACSS - SME
General Geek
- Status
Similar threads
- Locked
- Question