Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

One-X Agent login failed on VPN 1

Status
Not open for further replies.
jimha

jimha

Systems Engineer
Aug 5, 2021
7
DE
Hi,

I have installed a new VPN in out office, but I am struggeling to get my One-X Agent to work. Maybe you have an idea for me.

the registration of the station works fine, but if i do an agent login on it, it fails after a while. (One- X Ageent Version: 2.5.60411.0)

thats the output if i do list trace station:

list trace station 5814 Page 1

LIST TRACE

time data

15:59:23 TRACE STARTED 08/10/2021 CM Release String cold-01.0.532.0-24015
15:59:29 rcv ARQ ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.150]:1719
15:59:29 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.150]:1719
15:59:29 rcv ARQ ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.132]:1719
15:59:29 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.132]:1719
15:59:29 rcv ARQ ext 5814
endpt [10.236.56.50]:1024

press CANCEL to quit -- press NEXT PAGE to continue
list trace station 5814 Page 2

LIST TRACE

time data
switch [10.236.50.131]:1719
15:59:29 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.131]:1719
15:59:39 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.150]:61442
15:59:39 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.150]:61442
15:59:42 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.132]:61440
15:59:42 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.132]:61440

press CANCEL to quit -- press NEXT PAGE to continue
list trace station 5814 Page 3

LIST TRACE

time data
15:59:45 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.131]:61441
15:59:45 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.131]:61441
15:59:45 denial event 2176: SigConn fail to establish
endpt 10.236.56.50 data0:0xa013
16:00:07 rcv ARQ ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.150]:1719
16:00:07 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.150]:1719
16:00:07 rcv ARQ ext 5814
endpt [10.236.56.50]:1024

press CANCEL to quit -- press NEXT PAGE to continue
ist trace station 5814 Page 4

LIST TRACE

time data
switch [10.236.50.132]:1719
16:00:07 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.132]:1719
16:00:07 rcv ARQ ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.131]:1719
16:00:07 snd ACF ext 5814
endpt [10.236.56.50]:1024
switch [10.236.50.131]:1719
16:00:17 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.150]:61444
16:00:17 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.150]:61444

press CANCEL to quit -- press NEXT PAGE to continue
ist trace station 5814 Page 5

LIST TRACE

time data
16:00:20 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.132]:61444
16:00:20 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.132]:61444
16:00:24 TCP conn failed
endpt [10.236.56.50]:13926
switch [10.236.50.131]:61443
16:00:24 TCP conn closed
endpt [10.236.56.50]:13926
switch [10.236.50.131]:61443
16:00:24 denial event 2176: SigConn fail to establish
endpt 10.236.56.50 data0:0xa013


Rgds
jimha



 
Sort by date Sort by votes
As a first step please ensure that firewall is disabled on Windows
If not disabled, and cannot be, add a rule to allow TCP communication on this port range
Setup Wireshark on the Windows where one-X Agent is installed and while one-X Agent tries to login start capturing on the corresponding network interface and filter on h225 traffic
If only UDP h225.Ras packets can be seen, the traffic is blocked from TCP port 61440-61444 to TCP port any
If TCP packets can be seen from TCP port 61440-61444, however the TCP session is not established or reset there is a firewall which filters this traffic
Near End Establishes TCP Signaling Socket= y
In Farend case TCP is set to “yes” the phone has to send the TCP socket request to CM and CM will establish TCP.
If TCP socket signaling set to “no” ,then Communication manager will establish TCP socket. Set to “yes” phones will establish TCP socket.

Verify the VPN scope in the ip-network-map (wfh-vpn users)
A second option would be to set 'Near End Establishes TCP Signaling Socket? to N on the ip-network-region form page 3.
 
Upvote 0 Downvote
thanks for your help. this morning i took another laptop without third party firewall and turned off Win firewall completely, same behavior.
installed wireshark, will attach the output. There are lots of TCP retransmission errors, but i cannot figure out where they are coming from, do you have an idea about that?
Checked also the ip-network-map, the scope is not listed. is it mandatory to work? We are having another scope (which is not listed there either) but this one works.

wireshark_vpn_jtaaoz.png
 
Upvote 0 Downvote
Have you checked your network firewall as they are connecting through vpn?
 
Upvote 0 Downvote
Try a constant ping of the CM from the desktop. Make sure you have a stable connection first.
 
Upvote 0 Downvote
network fw shows some errors, "tcp invalid connection state" dont know what that means, looks like some pakets contain erros.

ping goes through constant.

fw_dump_ly8wt9.png
 
Upvote 0 Downvote
have you checked your vpn firewall? It sounds like you have blocked ports.
You will need TCP AND UDP ports 1719, 1720
UDP ports 61440-61442 to your CM open bidirectionally

You will need to allow your VPN subnets to access all of your Avaya Gateways for RTP bidirectionally
UDP ports 2048-65535

You will also need to allow your VPN subnets to talk to each other so you can do IP to IP calling. Rules are bidirectional.
UDP ports 2048-65535

 
Upvote 0 Downvote
Ports 1024/TCP and 13926/TCP should also be opened.
 
Upvote 0 Downvote
i have opened any ports for this 2 networks, but still seeing "tcp invalid connection state" errors which i cant figure out.

fw_dp2_lhkeyg.png
 
Upvote 0 Downvote
Looks like there is still somewhere in your network that is blocking it. Try tracing on the router where your VPN terminates and see if there are hits (with corresponding ports) when you attempt to register. Then from inside-facing-firewall and so on. You should be able to drill down where's the blockage.
 
Upvote 0 Downvote
I see what the issue is. I said in my above post you need the following:
have you checked your vpn firewall? It sounds like you have blocked ports.
You will need TCP AND UDP ports 1719, 1720
UDP ports 61440-61442 to your CM open bidirectionally


You need to open up TCP ports 61440 to 61442 or what is specified in your IP-Network-region for your one-x agent users. I am assuming they are defaulting to network-region 1. Execute command: Display ip-network-region x (where x is your network region). The information is listed on page 3: TCP Signaling link Establishment for Avaya H.323 endpoints.
tcp_xeqx79.jpg
 
Upvote 0 Downvote
@avayaguy23 - i have taken a new network-region and set "TCP Signaling link Establishment for Avaya H.323 endpoints" to N - that did the trick, it works now.

Thanks everybody for your help. appreciate it :)

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MGS_33
  • Locked
  • Question
Auto answer not beeping on headset - one-x agent
Replies
0
Views
240
MGS_33
MGS_33
Richard_Harrow
  • Question
DB and LIC error showing on One-X attendant after installation
Replies
0
Views
181
Richard_Harrow
Richard_Harrow
Ken Kumpula
  • Locked
  • Question
One X Communicator-One X Agent and Global Connect
Replies
4
Views
150
Wanebo
Wanebo
Ann808
  • Locked
  • Question
Avaya One-X Version 2.5.6
Replies
3
Views
293
BIS
BIS
rtsoi
  • Locked
  • Question
Agent Can Login On One Phone But Not Another
Replies
2
Views
109
rtsoi
rtsoi

Part and Inventory Search

Sponsor

Back
Top