Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ip office fails to register ipphone

Status
Not open for further replies.
biggizod

biggizod

Technical User
Aug 21, 2012
63
US
Hello guys. I have a toppology : IPO500--Router_A--Router_B--Ipphone/PC . IPO LAN 172.16.2.220/24, WAN 192.168.15.110/24 to Router A vlan 20 interface 192.168.15.100/24 . Router_a and Router_B 192.168.10.1/32 and 192.168.10.2/32 . Ipphone is in voice vlan 20 192.168.20.0/28. if i put pc in 192.168.20.0 net i am able to ping/tracert IPO, ipsec is up . But ipphone doesn't want to register . Routing on IPO : IP 0.0.0.0 mask 0.0.0.0 GW 192.168.15.100 destination LAN2 . Please help me i see ipsec is up ping go trough , what else do i need to register ipphone i can't find out .. please help ...

configs on router_A:
sho run
Building configuration...

Current configuration : 6298 bytes
!
! Last configuration change at 12:57:10 PCTime Mon Aug 20 2012 by admin
! NVRAM config last updated at 14:08:42 PCTime Mon Aug 20 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R_A
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3088937797
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3088937797
revocation-check none
rsakeypair TP-self-signed-3088937797
!ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!

username admin privilege 15 secret 5 $1$9.I7$4C61J/DT957rNQXyeuJ18/
!
!crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.10.1
!
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 20
!
interface FastEthernet4
ip address 192.168.10.2 255.255.255.252
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.15.100 255.255.255.0
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 172.16.2.0 255.255.255.0 192.168.15.110
ip route 192.168.20.0 255.255.255.248 192.168.10.1
!
ip access-list extended test
ip access-list extended voice
permit ip 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15
permit ip host 192.168.10.2 host 192.168.10.1
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.15
access-list 110 deny ip 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15
access-list 110 permit ip 192.168.15.0 0.0.0.255 any
access-list 110 permit ip 172.16.2.0 0.0.0.255 any
no cdp run

control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Configs on router_B :

Remote_R>en
Remote_R#show run
Building configuration...

Current configuration : 6624 bytes
!
! Last configuration change at 16:35:28 UTC Mon Aug 20 2012 by admin
! NVRAM config last updated at 18:08:16 UTC Mon Aug 20 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote_R
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!aaa authentication login default local
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3874039267
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3874039267
revocation-check none
rsakeypair TP-self-signed-3874039267
!
!!
ip dhcp pool data30
network 192.168.30.0 255.255.255.240
default-router 192.168.30.1
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
ip dhcp pool voice20
network 192.168.20.0 255.255.255.240
default-router 192.168.20.1
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.10.2
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
switchport trunk native vlan 30
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 30
switchport voice vlan 20
!
interface FastEthernet4
description WAN
ip address 192.168.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.20.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Vlan30
ip address 192.168.30.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.2 permanent
ip route 192.168.15.0 255.255.255.0 192.168.10.2
!
ip access-list extended voice
permit ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
permit ip host 192.168.10.1 host 192.168.10.2
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 deny ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.15 any
no cdp run

!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
 
Sort by date Sort by votes

Is the IP phones is connected ? If it thru a switch , check the VLAN & trunking etc. You also might want to take out the access list while testing .
 
Upvote 0 Downvote
Dumb question:- Does it register OK when tested Internally versus across the ipsec tunnel?
 
Upvote 0 Downvote
thank you for replies. Ip phone is connected directly to the level2 port of cisco router 881 : IPO500<-->Router_A<-->Router_B<-->Ipphone/PC , and i don't have any switch and vlan trunkings yet, only vlan interface because 881 has only 1 level3 port and 4 level2 ports. to MankyWarrior: I tested successfully first by putting ipphone behind of one router without ipsec, in that case i was need to make nat overload on wan port because for some reason router could not make route packets from interfacevlan 20 (where ipphone was connected) to wan port.
but topology should be IPO500<-->Router_A<-->Router_B<-->Ipphone/PC and there is nat overload , i can ping IPO from remote side...
 
Upvote 0 Downvote
also i am connected with my PC to lan port 172.16.2.2/24 GW ip 172.16.2.220 (LAN1 ip of IPO) and i am able to ping remote ipphone ip
 
Upvote 0 Downvote
i deleted ACL except "voice" wich is "direct" traffic to vpn , no results :( .. by default firewall is off on cisco routers, also i changed ACL voice instead "permit ip xxxx yyyy qqqq w i put "permit tcp xxxx yyyy qqqq w 1720" and samething but with udp/1719.
NO results.... please any idea , tips ...
 
Upvote 0 Downvote
Several problem that you might want to look deeper: NAT, ACL and all the ports ( tcp AND UDP ) that Avaya phones & IPO are using as you said that the phone work fine on the LAN but not thru the VPN / IPsec tunnel
 
Upvote 0 Downvote
I had registration issues when traversing a Comcast network even though the ip phone and server were connected via VPN.

It turned out that when the phone registers the QoS (DSCP) tagging on the registration packets were causing the packets to get dropped. It was ONLY the registration packets that got dropped. When going through a VPN when the packets get encapsulated the Encoded packet retains the QoS Tagging.

This was a trick to find as ever other packet we threw at it went through. We ended up having to Alter the SIG DSCP on LAN1/VoIP Tab to 26.

I mention this as Maybe something in your VLan settings are mucking with the QoS of the Packets and changing priorities?

Scott<-
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
IP Office R11.0.4.8.0 build 17 Cannot get Workplace to register.
Replies
15
Views
656
telecomtekperson
T
M
  • Question
Avaya IP Office - Unable to call specific number 1
Replies
13
Views
934
mike Wazowski
M
TN94z
  • Question
IP Office 11.1.3.1 with IP Flex - Sending caller ID
Replies
7
Views
445
TN94z
TN94z
ipohead
  • Locked
  • Question
CU360 Registered to Avaya IP Office as a SIP Endpoint
Replies
0
Views
126
ipohead
ipohead
4thright
  • Question
IP Office 500 v2 - T1 Trunking
Replies
14
Views
583
derfloh
derfloh

Part and Inventory Search

Sponsor

Back
Top