Panasonic NS700 and Remote Phones No Audio

[AUSDread]

Hi Guys,

I am having issues similar to a few other posts I have seen - but none of their fixes have resolved my issue. Would really appreciate any tips, ideas, thoughts ... its starting to drive me nuts and no-one seems to have a solution!

We have a Main Site - two internet connections, load balanced via a Sophos SG230. Each Internet Connection has a block of 4 IP addresses.

My LAN has a number of local vLANS and I have setup vLAN 30 (10.0.30.0/24) as my VOIP vLAN - this mirrors exactly the same setup as all my other vLANs.

I have a Dell 6448 as more 'Core' Switch, with Layer 3 and Inter vLAN routing setup. This switch is the Default Gateway for ALL vLANs. The Default Route on this switch has set 0.0.0.0. to got to 10.0.10.50 - my SG230's Internal IP. I have a couple of Windows DC's and with IP Helper on the Dell Switch - all my vLAN's are being handed DHCP addresses from my pools, including vLAN 30.

ALL is working perfectly Internally.

Part of the sales pitch of dumping our old Samsung Phone System was that the NS 700 had KX-NT553 handsets which could be used remotely. We have a Remote Site Office with 4 users - the 4 users out there rotate on a Roster here from Head Office. The user could sit down, punch in their Extension Number and password and BAM! Their internal extension would follow them around - even to Remote Phones! This feature works fine Internally, we programmed a button on the menu of each phone as a shortcut and it works great.

The NS700 has an IP of: 10.0.30.250
DSP1 Card: 10.0.30.251
DSP2 Card: 10.0.30.252
and the default gateway of that subnet is the Dell 6448 at: 10.0.30.254

I have set up all the required DNAT's and Firewall rules as supplied by the Phone Systems Installer and it seems to be all OK - I have doubled checked a hundred times and 2 of their Techs have checked and now two seperate Sophos Engineers. I can access the Remote Management of the NS700. Remote handsets are registering with the NS700 via remote sites (my home!). I can ring the internal extension number of the Remote Handset. The Remote Handset can dial internal extensions fine. The Remtoe handset can dial 0 and wait a split second and get dial tone. It can then ring regular land lines and mobile phones and the calls are made perfectly fine.

What I am not getting is audio to or from the handset MOST times. Very occasionally I can get audio from my mobile going to the Remote Handset perfectly clear. Hang up and re-dial and No Audio at all again.

I have troubleshot about 100 calls now with the Live Firewall Log from the SG230 running and WireShark monitoring the port on the switch the NS700 is plugged into. I can see My Home IP address connecting via port 16000 to the NS700 DSP1 Card on the correct external IP belonging to the second Internet Connection through the Firewall Log and via WireShark. I can see return packets to my IP from the NS700 going back out. Sometimes the call will come through port 16512 from My Home IP and it is correctly routed to DSP2 card (this is as per the Port forwards sent to me by the Phone Supplier).

I do not know what else to try to be honest - its driving me nuts. The Phone people blame Sophos and Sophos, when they can be bothered getting back to me, say the SG230 is fine and all setup OK. Meanwhile I am stuck here with people whining about phones on-site. I've tried the Sophos Community forums and I keep getting suggestions on Asterisk settings - despite my response thanking them but pointing out I have an NS700 PBX, so thats been less than helpful as well. I stumbled across this forum with a few people asking similar questions.

Any help, advice or ideas are greatly appreciated.

Cheers

 

[obtsystems]

Hi,

Most of audio issues usually are down to the firewall for a number of reasons, one is the ports are not forward correctly
all ports are udp.
ports 9300 and 2727 to system
ports 16000 to 16511 to dsp 1
ports 16512 to 17023 to dsp 2

As well as forwarding firewall rules have to allow traffic to pass

Nat ip address is set on media relay
remote phones are set to remote in ip card

All ALG and sip helpers must be disabled, these cause huge problems and check your firewall as it may not be a setting in the GUI but only disabled by command input and restart.

 

[AUSDread]

Thanks for the reply!

In regards to ports - yep, I've set up all teh required DNAT (Sophos UTM 9 required DNAT rules setup which will then auto-setup the applicable Firewall Rules).

UDP ports range 16000-16511 forwarded to the Panasonic DSP1 card IP 10.0.30.251
UDP ports range 16512-17023 forwarded to the Panasonic DSP2 card IP 10.0.30.252
UDP port 2727 forwarded to the Panasonic NS700 LAN IP 10.0.30.250
UDP port 9300 forwarded to the Panasonic NS700 LAN IP 10.0.30.250
UDP port 14060 redirected to port 5060 forwarded to the Panasonic NS700 LAN IP 10.0.30.250
TCP port 35300 redirected to port 80 forwarded to the Panasonic NS700 LAN IP 10.0.30.250

As per the Phone Installers guidelines

The extensions are set to Remote in the NS700

I can see activity from my external IP hitting all those ports in the Live Firewall Logs and in WireShark monitoring the NS700's port on the switch, and see the return traffic - but still have voice issues.

An extra note - at the moment we are awaiting the new SIP trunks. The system will be totally VOIP very soon. In the meantime the NS700 is connected to our existing Phone line service the previous system was on via a Telstra (our local phone company) Box. This has our 10 existing incoming lines etc

In regards to: Nat ip address is set on media relay

Where am I looking for this?

Cheers

 

[obtsystems]

It is here.... should be your external ip address, would cause other problems as well so may it be there already

I would say it is on the firewall alg or sip helpers enabled or port forwarding not setup correctly

 

[AUSDread]

I am definitly not seeing that at all on the PBX

 

[AUSDread]

OK - PBX Supplier/Installer just got back to me - yep, they have confirmed that our correct external IP is setup as per your screenshot. They were able to login remotely and confirm.

 

[obtsystems]

Sorry my screen shot was for an ns1000

I would definitely say firewall. Every time we had issues it is always was the firewall

 

[AJ22]

Had exact same issue. I moved all my sip traffic etc on to our own router and set all ports myself to insure I have full control of firewall. I got my remote phones working as specified above no issues.

Problem I have is I wanted to lock router down to allow traffic from remote sites only but customer wants to be able to plug these in anywhere... so I went about doing this but get attacks so taken back off.

I changed the nat sip proxy port to a different port to the internal sip server extn port. I noticed when I done this the remote phones would work fine but only when calling from the internal office out to the remote phones there is no speech now ? I take it that's because the I haven't done a port translation from the nat proxy port to the internal sip extn port? Example I make an obscure port for nat proxy then do port translate to 15060. Don't see point of this proxy port If its all going to the sip serv anyway ?

I am hoping to keep the internal sip extn port to 15060 as that will save me changing all my other sip atas etc... ? The proxy port WAS set to 15060 I took this away but it would not let me put 15060 back in ?? Any ideas how it was in there if it not supposed to be ? I thought simplest fix keep both proxy and sip server on 15060 but do an obscure port translation for them both ? But it wouldn't let me change back pleas help?

OBT can you advise I am on the right track? I am hoping I won't get Attacks this way ?


Sorry to hi jack this thread but hope this will help more people setting this up.

 

[obtsystems]

port 15060 can stay as internal port, the system will not allow port 15060 or anything 5060 as NAT proxy port as they are known port.

what we have is NAT port on the gateway can be anything you want. we keep it high or low port number. on the router you do port translation i.e port 300 to 15060 and the firewall allow port 300 through not 15060 as the system will do that in the system.

No mater what you do on the firewall, if you keep 15060 as proxy port they will get in.

I am afraid you will have to reprogram any sip device to fix this problem

 

[AJ22]

Cheers. I have a lot of internal sip devices registered on 15060. so could from what you are saying i should be ok to leave these as is? BUT my external devices in remote loactions i set these to example port 300 and then on the sip proxy port set that to 300? Then in my firewall redirect port 300 to 15060?

It worked ok when both sip proxy and internal sip extn was set to 15060, would it be best to just make a low port no like 300 and set against then both and open ports?

 

[obtsystems]

internal ports will go to 15060 so will be ok and external NAT through firewall and media relay will be redirected from example port 300.
to 15060 which the system media relay will know where it came from and to send it back to that port.make sure any port you choose to use is not another service on the network

just make sure 15060 is not accessible from the public IP or they will bypass directly to the register server.