Netgear SRX5308 with 4621swip VPN phones GOOD or BAD?

[headcase69]

hey guys,

just wondering if this is a "good" combo....

IP500v1 9.0.5
VM Pro 9.0

All 4620swip or 4621swip phones

VCM32
60 endpoint licenses

Netgear SRX5308 as VPN router for VPN phones

it never fails!!! every 7-10 days I'm getting a call that the VPN phones are not working. I'm not sure what is causing this? that's why I'm asking and praying that someone has answers??? I first had a FVS338 that I thought was bad, so I went with the big SRX5308 thinking it would keep the phones up and working. I know there are things that come into play such as internet at the remote end and things like that. I thought that once I got the phones up and working, they would/should just reconnect if there was a loss of connection somehow...

any help would be greatly appreciated....

 

[gkittelson]

I have some older and smaller networks running with Netgear SRX5308 routers, but I would rather use a TZ600 SonicWALL than Netgear.

I would make sure:
1) Using latest firmware
2) Have keep alive active on both sides of the VPN tunnel - but if you have phones as end points that won't be an option
3) Make sure that Enable NETBIOS is unchecked
4) Uncheck block TCP flood
5) Uncheck block UDP flood
6) Check VPN pass through options IPsec, PPTP, L2TP
7) Make sure SIP ALG is unchecked

This isn't the ultimate list, but it should help. The VPN keep alive might be the one you are looking for, but that's only for point to point.

Guy

 

[headcase69]

Guy... thanks for the reply...

I must be stupid!!! ive checked (or unchecked) all of those options.... and rechecked to make sure they are off.

not sure if this has anything to do with it, but I have 3 H323 (running VPN software.... the most current version/firmware) phones. 1 phone at a remote office, and 2 phones at another remote office. the problem is with the remote office that has 2 phones. I can only get 1 of them to come up at a time. both of them will not come up? I did have them all up at one time (which they would always go down/disconnect it seemed like every other day or week....). I'm just wondering if it has something to do with the router or the IP Office? the router says/shows me that I have 3 IPsec connections connected, but only 1 phone at each site will work... the phone that does not work will display "discover" which tells me that I don't have an IP route set up in the IP Office. for the remote phones, I have 0.0.0.0, 0.0.0.0, 192.168.43.254, LAN 2..... is that right? I have tried to put in routes like 192.168.43.0, 255.255.255.0, 192.168.43.254, LAN 2, and still no luck??? I put in a route of 192.168.1.0 (as the phones get an address in that range from the remote site) and that still doesn't work???

anyways, I hope this makes sense to you or someone, because I cant seem to get this to work and stay working!! any other suggestions would be great!!

again, I have 1 phone at one remote site (that never has any problems) and 2 phones at another remote site that will only seem to allow 1 phone to work at a time....?????? I need all VPN phones to be able to plug in and work....

thanks again...

 

[headcase69]

not sure if this will help??? here is a VPN log of the Netgear SRX5308.... hope someone can tell if the router is doing what its supposed to do??? I cant tell if the phones don't work because of the router or IP Office???



Wed Aug 17 17:35:59 2016 (GMT -0400): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 96.91.xx.xxx->69.85.xx.xxx with spi=1360695754(0x511a91ca)
Wed Aug 17 17:35:59 2016 (GMT -0400): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 69.85.xx.xxx->96.91.xx.xxx with spi=263223678(0xfb0797e)
Wed Aug 17 17:35:57 2016 (GMT -0400): [SRX5308] [IKE] INFO: No policy found, generating the policy : 192.168.1.141/32[0] 192.168.43.0/24[0] proto=any dir=in
Wed Aug 17 17:35:57 2016 (GMT -0400): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 192.168.43.0/24<->0.0.0.0/0 from emilyip
Wed Aug 17 17:35:57 2016 (GMT -0400): [SRX5308] [IKE] WARNING: Ignore INITIAL-CONTACT notification from 69.85.xx.xxx[206] because it is only accepted after phase1.
Wed Aug 17 17:35:57 2016 (GMT -0400): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: 96.91.xx.xxx[0]<=>69.85.xx.xxx[0]
Wed Aug 17 17:35:56 2016 (GMT -0400): [SRX5308] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Wed Aug 17 17:35:56 2016 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA established for 96.91.xx.xxx[500]-69.85.xx.xxx[206] with spi:7f186a74f9f441ba:c1b6aa820fbf5a00
Wed Aug 17 17:35:54 2016 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Aug 17 17:35:54 2016 (GMT -0400): [SRX5308] [IKE] INFO: Beginning Aggressive mode.
Wed Aug 17 17:35:54 2016 (GMT -0400): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 96.91.xx.xxx[500]<=>69.85.xx.xxx[206]
Wed Aug 17 17:35:54 2016 (GMT -0400): [SRX5308] [IKE] INFO: Remote configuration for identifier "emilyip" found
Wed Aug 17 17:35:25 2016 (GMT -0400): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 96.91.xx.xxx->69.85.xx.xxx with spi=2833644980(0xa8e5fdb4)
Wed Aug 17 17:35:25 2016 (GMT -0400): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 69.85.xx.xxx->96.91.xx.xxx with spi=220187278(0xd1fca8e)
Wed Aug 17 17:35:23 2016 (GMT -0400): [SRX5308] [IKE] INFO: No policy found, generating the policy : 192.168.1.137/32[0] 192.168.43.0/24[0] proto=any dir=in
Wed Aug 17 17:35:23 2016 (GMT -0400): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 192.168.43.0/24<->0.0.0.0/0 from emilyip
Wed Aug 17 17:35:23 2016 (GMT -0400): [SRX5308] [IKE] WARNING: Ignore INITIAL-CONTACT notification from 69.85.xx.xxx[500] because it is only accepted after phase1.
Wed Aug 17 17:35:23 2016 (GMT -0400): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: 96.91.xx.xxx[0]<=>69.85.xx.xxx[0]
Wed Aug 17 17:35:22 2016 (GMT -0400): [SRX5308] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Wed Aug 17 17:35:22 2016 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA established for 96.91.xx.xxx[500]-69.85.xx.xxx[500] with spi:b5e75d44e3c63734:462f3fc9ee73dc0c
Wed Aug 17 17:35:21 2016 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Aug 17 17:35:21 2016 (GMT -0400): [SRX5308] [IKE] INFO: Beginning Aggressive mode.
Wed Aug 17 17:35:21 2016 (GMT -0400): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 96.91.xx.xxx[500]<=>69.85.xx.xxx[500]

 

[headcase69]

Do I need to have the "remote worker" tick mark box checked under the LAN2 tab? I thought that was just for the remote worker phones (9600 series phones)...

Also, I was just wondering if I need to have the IP office as the DHCP server or just let the SRX5308 be the DHCP server? Or does that even matter when they are VPN phone? I know the phones get an address from the remote office, but that that was a "just wondering" question too??

Thanks again for the help!

 

[headcase69]

well I got it to work....

all I needed to do was use "mode config" option on Netgear router and program the phones to match the profile used for "mode config" and bing..... they connected like a champ and haven't been down since.

thanks again for any replys....

 

[gkittelson]

That's awesome to know. Thank you for sharing!