connecting IP4620 Phone over VPN to IP406

[telepaul]

Hi,

We are trying to make a connection over ADSL and an IP Phone 46xx..
We work between Netscreen 25 and Netscreen 5
The VPN is working fine with IP Softhone from Avaya and IP406 and between an IP406 and Small Office. Even a connection with netmeeting and IP406 works fine.
When we try to make connection between IP406 and IP Phone 4620 or a 4602 it doesn’t work.
The IP Phone makes connection to the TFTP and makes a download of the software.
When the phone negotiates for an extension the phone hangs and blocks. When connecting to the LAN the phone works fine.

Any help would be greatly appreciated.

Paul

 

[Morrack]

Check that nothing is blocking UDP range C000-CFFF. Either on your equipment or the ISP's network.

 

[photon33]

Telepaul, I have the exact same scenario and the exact same problem.
The VPN is tunneled through two individual T1 Internet connections. Netscreen 25 to Netscreen 5.
All services are allowed through the Netscreen firewall.
The system is able to see the phone as the created extension appears in the extension and user tabs.
Netscreen support says ip direct mode of h.323 is supported, and that ip route mode is not supported.
I see a tick box on IP Office>System>gatekeeper tab that says ip direct route mode enabled but it is greyed out.
I run IP 406 V2.0.16
Does anybody have any ideas?
Thank You

 

[bazlit]

i have a netscreen 25 and billion 741ge where the 4612 is, the call actually rings the b party but no voice, all ports are open both ways, upgrading to 2.0(18) today to see if that helps or makes it worse ( i think the later)

 

[telepaul]

photon33,

We are working on V2.0(18) and the “ip direct route mode” is also greyed out.
We are still working on it with Netscreen and Avaya. In one of the earlier OS5 from Netscreen there was a bug on H323 but that seems not to be the problem. We have send several logs to Netscreen and are now waiting for an answer.

I will com back to this if I have more.

 

[bazlit]

Thanks

we are running 5.0.0r2.0 on our 25

Baz

 

[telepaul]

we are running 5.0.0r6.0 on boauth netscreens.

Paul

 

[photon33]

Hello, I am sorry to see the problem has not been solved!
Telepaul, you seem to be doing better than me as my softphones AND hardphones will not work through the Netscreen VPN.
I also have a ticket open with Netscreen, Avaya has been no help to me unfortunately. My first tier technician did not even know the IPO gatekeeper will auto create extension upon VOIP connection and refused to escalate my call. He said the extension number I used was wrong(111).
That was his solution. I have a mind to report this technician to my channel manager as the client is seriously considering another product due to my lack of support from Avaya...
It seems to me through some packet sniffing performed that when my phone communicates to the IPO, the IPO sends traffic back out to the phone using a 255.255.255.255 broadcast address and the Netscreen is unable to send or drops the traffic.
I do not understand why the IPO does not send back to originating IP address, but broadcasts instead?
Anyways bazlit & telepaul, please post as your situation changes!

 

[bazlit]

Have you got application set to none in the policy? they tell me this may resolve the problem with Netscreens, its an incompatability issue with the Avaya H.323 which is proprietory and will be multi vendor support in v2.1 i hear.

after upgrading to 2.0(18) from 1.4 it seems i have introduced more problems than have been fixed .

 

[photon33]

Have you got application set to none in the policy?

Yes, the Netscreen tech said something about the Netscreen error checking h.323 & needing to disable it, but it was set to none, so that is not the case...

 

[bazlit]

it didnt fix mine either, but seems to only have started happening since v5 of the netscreen OS, v4 i could make calls work properly, might have to go back a release if i can to test

 

[bazlit]

Well my inside contact at Juniper has solved the mistery!

if you set up a specific policy for H.323 as well as the any - any tunnel, then set the h.323 policy to application - none, it will allow the h.323 to bypass the firewall ALG's and not look at Avaya's proprietry h.323 which it drops in an any - any tunnel.

Policy example:
set policy id 131 from "Trust" to "Untrust" "10.0.0.0" "Home" "H.323" tunnel vpn "Tunnel for Home" id 43

 

[photon33]

thanks for the info bazlit, I will see if I can get this set up tomorrow!

 

[mjwilson12379]

Sorry, very old thread, but I continue to have problems, my VPN is up correct, with the policy for h.323 on both sides (ns25 and ns5). I get the endpoint in registration, then the endpoing is registered, but I never get anythin gon the display of the 5610. THere is traffic for the policy being logged ok. I get no dial tone, but can press the keypad and get the correct tones. THis is on an ip406 v3.