OS4K V10 problems with HFA subscribers

[Omenas]

Hi,

We have a newly installed OS4K V10 separated duplex system in a VMware environment. All subscribers will be installed in virtual standalone Softgates.
First about the system:
Hardware VMware esx
Platform - R0.28.4
Assistant - R0.28.4
CSTA - R0.28.3
RMX - R0.28.24
Sofgates Loadware Version - pzksgw50.A9.033, APS Version - L0-T4T.A9.033
Phones software versions(HFA):
CP600 - V1 R5.5.0
IP55G - V3 R0.48.0
Now about the problem:
When you pick up only the handset, the system throws errors immediately (errors below). You don't even have to dial the number, just pick up the handset. There is no such problem with a SIP subscriber, only with HFA. Same problem on all Softgates and all vSTMI boards.
Maybe you have any ideas?

Errors:
F4066 M8 N8807 NO ACT BPB CP ADVISORY 21-08-11 18:18:46
ALARM CLASS:CENTRAL:023
CC:00566 EC:00506 UA:BAF0:C7B5 SP:7B54:17C2 BP:17DC LD:01-17-001-000
FORMAT:45 MESSAGE-ID: 00524
STACK-DATA-MESSAGE 01 OF 04
---2---4 ---6---8 ---A---C ---E---0 ---2---4 ---6---8 ---A---C ---E---0
09175908 00080000 00000000 00000000 0000BAC0 40010000 640117E6 E08EBAF8
000D000D 189A707F C240000D 820F1091 10040000 00000000 00080002 00800000
00000000 BBE2BA98 18266BE8 BB101820 7B540000 CAF600C7 4E800103 097101C7
01000154 184600D7 00C71B00 00370000 1701B9E8 184E531F BA181848 7B54808E
7A580034 8E587AFE 7A580102 18781874 00380034 00348E58 BB8808D7 BAF8186C
7B540007 20110300 188A808E 7A580971 0101000D 0098188A 10C3BD18 00072011
.
.
.
F4057 M8 N8811 NO ACT BPB CP DBAR 21-08-11 18:18:46
ALARM CLASS:CENTRAL:023
CC:00566 EC:00506 UA:BAF0:C7B5 SP:7B54:17C2 LD:01-17-001-000
DT:6C ST:6C SN: 0 CEVT:2A CSEV:6C CST: 0
FORMAT:24 MESSAGE-ID: 00524
6C6C0000 2A6C7109 01010000 00FF0000 002100B2 2069004A FF005A5A 5A5A5A5A
5A5A5A5A 5A5A5A5A 5A5A5A5A 5A5A5A5A 051D0000 01400140 0C000D00 00000000
15000000 010C000F 01000101 00000C00 71090C00 0C000C00 01000000 2C0001

 

[adibv]

UA:BAF0:C7B5 is caused by:
VFGR is missing on the system and needs to be added

Not sure if for the same CC & EC

 

[Omenas]

Dear adibv,

That may be true. I really haven’t configured VFGR on this system yet.
I will test and report the results today.

 

[Omenas]

Triggered !!! No errors left, this issue is resolved.
However .... there is another encryption issue. I was hoping these issues were related, but the encryption issue remained.
We have two OS4K V8 systems. These systems have HFA device encryption enabled and it works great. I also turned on encryption on the new OS4K V10. I did everything the same as in the other two systems. Certificates are loaded on the phones and on the vHG3500:

https://files.engineering.com/getfile.aspx?folder=7dacc6f6-a1d5-442f-bf0d-38ff5162a624&file=SPE.PNG

https://files.engineering.com/getfi...b-436a-48df-8ee1-fa60cd1b0ec1&file=SPE_CA.PNG

https://files.engineering.com/getfi...67-4faf-a0ed-7cf2dfd7da18&file=WEB_server.PNG

https://files.engineering.com/getfi...-479a-8bdc-99c87acf4cb2&file=HFA_Settings.PNG

https://files.engineering.com/getfi...b-0f80831a67f8&file=Authentication_Police.PNG

https://files.engineering.com/getfi...d-4289-ab3f-dc25ef926f5e&file=stmi_SPE_CA.PNG

https://files.engineering.com/getfi...59d4-403c-b68e-4f2b136faee1&file=stmi_SPE.PNG

When the vHG3500 Certificate Verification Level is turned off (none), then the phones work normally in secure mode

STATION NUMBER ACCORDING TO PORT EQUIPMENT NUMBER
-------------------------------------------------
MOUNTING LOCATION MODULE NAME BDL BD(#=ACT) STATUS
** .LTG 1.LTU17.001 vHG3500 ? Q2330-X READY
STNO INPUT CCT LINE STNO SI BUS TYPE
98999 000 1695 OPTI ONLY READY
MULTLINE 8. . . . . . . . . . . . . . .READY
001 SUBUNIT . . . . . DIGITE MAIN READY
(ALT_ROUT: N) (OPTIIP )
LINE: 2417 STNO: 98999 SI:VCE
001 . . . . . . . . DIGITE SUB A READY
002 . . . . . . . . DIGITE SUB A READY
003 . . . . . . . . DIGITE SUB C READY
SECURITY LEVEL . . . . . . . (CONF.) "SECURE"
(ACT.) "SECURE"

When the vHG3500 Certificate Verification Level is enabled on "Trusted", then the phones stop working:

https://files.engineering.com/getfi...4f16-bf80-ac3814c4e3e0&file=vSTMI_trusted.PNG

F5645 E8 N0569 OUT SERV BPB CIRCUIT L1 ERROR S0 21-08-14 13:38:58
ALARM CLASS:SWU-PER:004
** :LTG1 :LTU17:001: 00 : 0 Q2330-X vHG3500 BST:01 PLS:-07
REASON:04H NO SIGNAL (RED) (LOCAL ALARM)
FORMAT:36 DEVICE NAME: ONLYSYM

DIS-SDSU:ALL,,STNO,PER3,98999;
H500: AMO SDSU STARTED

STATION NUMBER ACCORDING TO PORT EQUIPMENT NUMBER
-------------------------------------------------
MOUNTING LOCATION MODULE NAME BDL BD(#=ACT) STATUS
** .LTG 1.LTU17.001 vHG3500 ? Q2330-X READY
STNO INPUT CCT LINE STNO SI BUS TYPE
98999 000 1695 OPTI ONLY NPR
MULTLINE 8. . . . . . . . . . . . . . .NPR
001 SUBUNIT . . . . . DIGITE MAIN DEFIL
(ALT_ROUT: N) (OPTIIP )
LINE: 2417 STNO: 98999 SI:VCE
001 . . . . . . . . DIGITE SUB A UNACH
002 . . . . . . . . DIGITE SUB A UNACH
003 . . . . . . . . DIGITE SUB C UNACH
SECURITY LEVEL . . . . . . . (CONF.) "SECURE"
(ACT.) "SECURE"

Maybe you have ideas on this as well?

 

[adibv]

​Without the setting trusted or full, you should have SPE - you should just check the connection is made via TLS.
You can do that with a sniffer or TCP checking communication port is 4061.

For MTLS (mutual TLS), where also the phone needs a certificate from DLS, check the IP Solutions manual: Signaling and Payload Encryption (SPE) @ chapter 1.3.4 Certificate Verification Level .

" IMPORTANT: If on the TLS server side Trusted or Full is configured, the certificate from the TLS client is requested (Mutual TLS).
If on the gateway subscribers are configure which do not have a certificate,
then select on the gateway (which is on this interface TLS server) as Certificate Verification Level None,
but on the subscribers (which are TLS clients) Trusted or Full to check the received certificate from the TLS server