Remote J179's over P2P VPN "Aquiring Service" 1

[dsm600rr]

Hello all,

I have a remote J179 phone at a clients shop that is connected via a P2P VPN using Watchguard Firewalls

The phones will update their firmware and load the company logo on the phones screen however when I go to log in I get "Verifying Credentials" and then "Acquiring Service"

thoughts?

ACSS

 

[derfloh]

You should set the SysMon filters to default and add SIP Verbose.


IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

Questions:

WAN: Local phones are on 172.30.20.XXX with a IP Route out

LAN: On the Data Network 192.168.1.XXX

Remote LAN: 192.168.2.XXX

Should I have an IP Route on the Data Side as well?

So the remote phone will grab a 192.168.2.XXX and VPN over the network to the Data Side at 192.168.1.XXX

As it is setup now its grabbing firmware files over the VPN However will not log in. Of course the firewall guy is saying everything is fine on his end. Running out of ideas here.




ACSS

 

[teletechman]

default the trace options and enable the SIP options to verbose and then try to register the phone and send the file so we can look at it. Are you sure you have the extension as a SIP extension? Also enable remote phone for SIP on LAN1.
Mike

 

[janni78]

As I understand it you have the local phones connected to LAN2 and try to get the remote phones to connect on LAN1 ?

This will cause a lot of problems unless there is routing between those networks.

There is almost never any good reason to use more than one lan port on the IP Office, handling of networks and routing should be left to the router/firewall.

"Trying is the first step to failure..." - Homer

 

[dsm600rr]

janni78: Originally they just had the local phones, so I had those on a phone VLAN. Then the customer requested the phones at another location over the VPN.

I have moved over my SIP Trunk, Public IP (Network Tapology), and Enabled SIP Remote Extensions and so on to the customers Data VLAN.

I still have the Local J179's and IPO DHCP Server on the Voice VLAN.

ACSS

 

[dsm600rr]

I have enabled "SIP Remote Extension Enable" under the Data LAN and "Enable Remote Worker" under the extension.

I will reboot the phone with all default trace options enabled and enable the SIP options to verbose. I will post the trace shortly.

ACSS

 

[dsm600rr]

janni78: The setup is:

LAN 2: Local Phones, IPO DHCP Server for the phones on 172.30.20.1

LAN 1: Remote Phones, on the Data VLAN, SIP Trunk, Remote Phone Options Enabled. IPO at 192.168.1.200

Remote Phones VPN from 192.168.2.1 to 192.168.1.1

I am not sure how else to do this without just throwing everything on the Data VLAN.

I could have the firewall guy create a route between both local networks, however I am not sure that will help the remote phone situation.

ACSS

 

[dsm600rr]

Attached is the trace with the Remote Phone Rebooting.

Side note, any idea what would be causing these errors in the log "SIP/2.0 401 Unauthorized"?

ACSS

 

[critchey]

This sounds like an IP route issue to me. You would need 2 different IP routes:

Route 1
IP address: 192.168.2.0
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1 (assuming thats the IP of the local VPN gateway)
Interface: WAN

Route 2
IP address: 0.0.0.0
Subnet mask: 0.0.0.0
Gateway 172.30.20.1 (assuming thats the IP of the data side gateway)
Interface: LAN

This would say traffic coming from 192.168.2.X subnet will be routed using 192.168.1.1 as the gateway and use the WAN port. Anything else, from any other subnet, will be caught by the default route and use the data gateway and LAN port.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey:

I do not need a IP Route for 172.30.20.1 as its just Local Phones on the Local Voice VLAN and an IPO DHCP Server.
Local Phones are on the WAN

On the Local Data side LAN of 192.168.1.200 with the SIP Trunk/Public IP Address and Remote Phones I have an IP Route of:
IP address: 0.0.0.0
Subnet mask: 0.0.0.0
Gateway 192.168.1.1
LAN1

Should I make another Route on the LAN as you described:
IP address: 192.168.2.0
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
LAN1



ACSS

 

[critchey]

If you don't need an IP route on the 172.30.20.1 side then you can have just one default route. I think I see the issue with yours though.

On the Local Data side LAN of 192.168.1.200 with the SIP Trunk/Public IP Address and Remote Phones I have an IP Route of:
IP address: 0.0.0.0
Subnet mask: 0.0.0.0
Gateway 192.168.1.1
LAN1

While you are telling the system to use 192.168.1.1 as the gateway you are telling the system to use LAN port when you actually would want to use the WAN port since that is on the same subnet as the gateway. That is why your firewall guy saw it trying to connect to 172.30.20.1 your IP route told it to use the LAN port.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

Hi critchey,

I have changed quite a few things since he saw that. My IP Route used to be out the Voice VLAN of 172.30.20.254

"While you are telling the system to use 192.168.1.1 as the gateway" - Correct:

"you are telling the system to use LAN port when you actually would want to use the WAN port since that is on the same subnet as the gateway." - My LAN is on the same Subnet as the Gateway:

Looking at the trace, I do see an IP Address from the Remote Side (192.168.2.XXX) from my PBX (192.168.1.XXX)

So that makes me wonder, do I need the route you explained to tell 192.168.2.XXX needs to find the PBX at 192.168.1.XXX


ACSS

 

[critchey]

Sorry think I got the IPs on your interfaces mixed up in my head. Thanks for the pictures makes thinking it out a lot easier.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: No worries, you are trying to help me so I try and make it easier on you hah.

ACSS

 

[critchey]

Side note, any idea what would be causing these errors in the log "SIP/2.0 401 Unauthorized"?

Ya for whatever reason SIP trunks tend to kick out 401 unauthorized from time to time. You can see in the packet:
Digest realm="nexvortex.com"



The truth is just an excuse for lack of imagination.

 

[critchey]

The only thing the monitor trace shows is what you pointed out the two Service Access Connection. Have you checked in system status to see if the IP and/or extension has been blacklisted/quarantined?


The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: Great Idea, I did not think of that. It is not Blacklisted however.

ACSS

 

[dsm600rr]

I can ping what I believe to be the phone from SSA

ACSS

 

[critchey]

I would have the firewall guy run a trace when you try to connect with the phone. Since you are getting files correctly then port 80 (or 443 if HTTPS) is working correctly. It could be a different port being blocked allowing the registration. The monitor trace doesn't show the phone even attempting to register it only shows the service access connection which I think is just the system seeing the phone grabbing files.


Another idea for us to look at:
Go to 192.168.1.200/46xxsettings.txt from a browser and it should serve you the 46xxsettings file. Make a copy of that file and post it maybe there is something mucked up in there.

The truth is just an excuse for lack of imagination.

 

[dsm600rr]

critchey: Thank you. I have attached the 46xxsettings file.

Since my VM Pro is on the voice VLAN, its from 172.30.20.1/46xxsettings.txt



ACSS