Remote J179's over P2P VPN "Aquiring Service" 1

[dsm600rr]

Hello all,

I have a remote J179 phone at a clients shop that is connected via a P2P VPN using Watchguard Firewalls

The phones will update their firmware and load the company logo on the phones screen however when I go to log in I get "Verifying Credentials" and then "Acquiring Service"

thoughts?

ACSS

 

[dsm600rr]

Bit more info now that I am back at the office.

Local Phones are on a 172.30.20.XXX Network (Voice VLAN)

I put the IPO On their Data Network for their remote phones.

Remote phones grab a 192.168.1.XXX address at the remote location. Local is on 192.168.2.XXX

IPO on the Data VLAN: 192.168.1.200

After updating the J179 "IP Configuration" > "Servers" > "HTTP" "HTTPS Servers" to the 192.168.1.200 the phones updated their firmware files and pulled the Logo I loaded for them however every time I tried to log in I would get "Acquiring Service"

The Firewall guy notated that he saw the phones trying to register to 172.30.20.XXX so I also updated the "SIP Domain" in the phone to 192.168.1.200 - Still no go.

"SIP Registrar" is enabled on both interfaces.


ACSS

 

[Okkie26]

Are you using TCP, UDP or TLS?

In case you use TLS, is the cert properly set for remote phones?

Is 'enable remote extension' enabled on the user?

 

[TouchToneTommy]

Reset a phone to factory default. When it boots up, at the "Do you want to enable auto provisioning?" answer NO. Go into Admin, IP Configuration, Servers, set ONLY the HTTP address to 192.168.1.200, reboot, and it should connect to the network.

Make sure that SIP Registrar on the LAN port is checked, and that the 46xxsettings.txt file is auto generated

 

[dsm600rr]

TouchToneTommy: I will give that a go. SIP Registrar is checked, 46xxsettings.txt file is auto generated

ACSS

 

[dsm600rr]

Okkie26: They have a Point to Point, Firewall to Firewall VPN Connection.

ACSS

 

[Okkie26]

Still,

Could be a TLS > cert issue.

Can you disable tls or add the 46xxspecials.txt and enter 'SET TLSSRVRID 0' there.

 

[kwing112000]

What type of firewalls? Could be an ALG issue.

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Vive Communications

 

[dsm600rr]

kwing112000: Watchguard XTM-26Ws

ACSS

 

[dsm600rr]

Okkie26: TLS is not enabled under the LAN > VoIP Tab.

ACSS

 

[dsm600rr]

Any other thoughts before I head back out there to try and get these phones to work?

Below is a recap:

- My Voice Network is 172.30.20.1 that hands out DHCP to the Phones and where their SIP Trunk Registrars.
- I put the PBX on their Data Network at the main site as well at: 192.168.1.200
- The phone at the remote site grabs a: 192.168.2.XXX
- The phones are able to VPN Back to the main site and update their Firmware Files as well as Download the Logo, however will not log in "
- I can ping from the Remote Phones at 192.168.2.XXX back to the IPO at 192.168.1.200
- Would I need an IP Route for the PBX on the Data Network for the Remote VPN Phones?

Updating over the VPN:

ACSS

 

[critchey]

Run a monitor trace, SIP set to verbose, and see what is happening. It could be quite a few different issues. My random guess is there is NAT'ing setup on one side, or both sides, and when the IPO sees NAT'ing it thinks the phone is a remote worker. Just a random guess though.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: Below is what their firewall guy replied with:

All outbound traffic is natted behind 96.XXX.XXX.XXX at the main location and 75.XXX.XXX.XXX for the rigging location.

The only inbound traffic allowed\setup for nat is the site to site VPN tunnel, SSL VPN to the main site only and Remote management ports for the firewall (those are only open to our IP address).

Hope that gives you the information you need.


ACSS

 

[critchey]

As I said before run a monitor trace and set SIP to verbose. Post the results here (if it is a big file post to a .txt file and post that).

That fact that you have NAT'ing going on over the VPN is most likely why it is not working. IP Office sees phones that are NAT'ed as remote workers not VPN phones. It may even connect as a remote worker but who knows if it will work correctly and you can only do 4 without licenses.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: I am not sure the trace will show much however worth a shot. The phone has been sitting idle on-site for a few weeks now.

[URL unfurl="true"]https://res.cloudinary.com/engineering-com/raw/upload/v1605298832/tips/Trace_vvilwg.rtf[/url]

ACSS

 

[teletechman]

As Critchey said enable remote worker on both the system and the user and see if that will allow the phone to connect. If it is behind a NAT device it will require remote worker enabled.
Mike

 

[dsm600rr]

teletechman: I have "Enable Remote Worker" under the two remote extensions. When you say to enable on the system, are your referring to "SIP Remote Extension Enable" under the LAN VoIP Tab?

ACSS

 

[teletechman]

yes

 

[dsm600rr]

Hello all,

So I went back on site today and tried a few things to get these Remote J179's working over the clients P2P VPN

I took a new phone with me and brought it to the main site - in which it updated its firmware and logged in on the voice VLAN (172.30.20.1)- (IPO WAN)

At the main location I then patched the phone into the Data VLAN, updated its HTTP Server to 192.168.1.200 - (IPO LAN) and the phone logged in with no issues.

Took the phone back to the remote site, it booted up - hung up a bit on "Verifying Login Credentials" and finally back to "Acquiring Service"

I reached back out to the Firewall guy to see if he could disable NAT temporarily and this was his response:

"Reading my previous email, I can see where you thought there might have been. My wording wasn’t the greatest, sorry about that. There is no NAT configured for the VPN. There is no NAT between the sites over the VPN, there is NAT for outbound traffic to the internet."

So come to find out there is no NAT Being used.

So I have disabled "SIP Remote Extension Enable" and "Enable remote worker"

To re-cap, the remote phones will update their firmware over the VPN, they will grab the company logo that I have installed and will get to the login screen. When I go to log in, the phone will hang longer than usual at "Verifying Login Credentials" and finally back to "Acquiring Service"

Any other thoughts?

I did run a SIP Verbose trace as the phone was booting.


ACSS

 

[dsm600rr]

https://files.engineering.com/getfi...cf6271&file=RM_Remote_Phone_Monitor_Trace.txt

ACSS