SCN - kindly request some help 1

[raist3001]

Unable to get my SCN up and connected. Here is my current set up on 9.1:

SCN - LAN to WAN - routing via VPN
IPO A = 192.168.42.1
IPO B = 192.168.43.1

IPO A IP Office Line(SCN) with gateway address of IPO B
IPO B IP Office Line(SCN) with gateway address of IPO A

IP routes
IPO A Routes
192.168.43.0 / 255.255.255.0 / <Gateway IP>
0.0.0.0 / 0.0.0.0 / <Gateway IP>

IPO B Routes
192.168.42.0 / 255.255.255.0 / <Gateway IP>
0.0.0.0 / 0.0.0.0 / <Gateway IP>

In system Status for both Sites, Trunks are reporting as Out of Service.

Wierd thing is when I go to IP routes in System Status for Site A and try to ping the gateway of Site B, the ping fails with 100 percent packet loss.
I can ping the IPO in Site B from system status, Just not the gateway in Site B.
However, from the PC in Site A, I can ping both the GW and the IPO in Site B.

When I go to IP routes in System Status for Site B and try to ping the gateway of Site A, the ping is successful.
I can also ping the IPO in Site A from system status (Site B) and gateway in Site A.

Any thoughts on what I am missing?

Edit:
I have the SCN networking licenses installed at both sites

 

[amriddle01]

It only shows as in service when it's actually in sevice i.e the systems can see each other and exchange data. Showing the trunk as In service just because it can ping it's gateway is both misleading and stupid if you think about it

 

[raist3001]

Why would it be stupid? That's why I asked if in service means when BOTH sites can communicate. If one site can communicate just fine, its not stupid to think that this line would show in service.

 

[amriddle01]

Because it's commenting on the state of an SCN link not the router, just because the system can see the local router doesn't mean the SCN link is up does it, how would you monitor the actual state of the SCN link if it said it was UP just because it could see the router? It makes no sense...think about it.

Does a VPN say it's up just because it can reach the internet...no, it says it's up when the actual link is established

 

[raist3001]

I guess I am looking at the links as being separate as opposed to being whole. One side won't show as in service, while the other is not. Never stopped to think this was technically like establishing a VPN.
In any event, The IT person is telling me that the VPN is set to default and that all traffic is being allowed. I asked for remote access to one of his PC's so I could install NMAP and test. NMAP shows the following ports as filtered (closed) - these are the ports Avaya has told me needs to be open.

1718-1720
49152-53247
50795

So safe to except that the client has a network issue and that both IPO's are configured correctly.

 

[amriddle01]

The IT is talking bollocks, your own tests have shown that, ask them why the ports are blocked, if it's "all traffic is allowed"....Nothing we can help with.
We get this at least once a month on this forum with Sonicwalls, same story.... nothing blocked, until they find they are blocking stuff.
If you're lucky they admit it and then fix it after a short while and not weeks

 

[raist3001]

Thanks for all the time you offered here to help me AM, it is greatly appreciated.

I will update this thread once the IT people figure out the issues. I will confirm what was found.

 

[bbaits25]

I always had some issues with the sonicwall blocking. How are they connected? MPLS? MIS? via VPN connection over IPSEC?

 

[raist3001]

Hey bbaits, its a VPN over IPSEC

 

[Qzwsa]

Make sure that any SIP or H323 ALG (application layer gateway) services are OFF*. These are typically enabled by default, and often don't even have a place to turn them off in the router GUI. I know for a fact that on the Fortinet routers there are a series of command line entries that need to be run to disable them. I can also confirm that Juniper routing devices have them enabled be default and they need to be disabled before SCN will work.

Something do to about "helping" with the RTP ports for VoIP and such.

- Qz

* My apologies if this was mentioned already and I missed it in the long thread.

 

[raist3001]

I wanted to update this thread as what I did to resolve the issue.
Since I was getting no where with the IT staff, we approached the customer with our own VPN solution that would have us installing 2 Edgewater Edgemarcs.
The customer agreed and I installed the firewalls and configured the VPN.
IPO line came right up.

Sonicwalls are a pain.

 

[amriddle01]

Yes, they can be, as most of the time people don't know what they're doing at all and think they must be IT geniuses because the customer can reach the web.
I hope the customer had appropriate words with the "it's not us" IT men..... when it clearly was, I mean what else don't they know

 

[IPGuru]

Genuine IT Geniuses are even worse.
They insist on trying to play with every setting to get "Improved" performance & "Tighter" security dispite the fact that a VPN should be considerd the assume as an simple uplink between switches.

had a similar issue with a cust who insisted on trying to use a software VPN solution on 2 server PC's. wi final resolved that on in the same way (with drayteks) & a Bill for parts & wasted engineering time


Do things on the cheap & it will cost you dear

 

[Pepp77]

Seriously any IT company who cannot create a site to site VPN between two Sonicwalls needs sacking. It is really so simple to get an SCN working across a Sonicwall S2S that it is laughable. You do not even have to do anything other than tell each side what the other sides gateway and LAN subnet is (plus the preshared key) and it will just work.

No ALG settings need amending as the Sonicwall has both SIP and H323 transformations off by default.



| ACSS SME |

 

[raist3001]

Even with all the proof I had with running NMAP to show that the ports were closed, the IT folks insisted they were not and could not explain why the tests were showing that they were closed. Ahh, that's because THEY WERE. Thankfully, the Client accepted my evidence and allowed me to install new firewalls and a new VPN. He was further convinced when the SCN tunnel came right on line.

Now, the IT firm is insisting on accessing our firewalls to set up security. That request of course has been denied.

 

[joe2938]

sounds to me like you need a new it provider big time!

 

[amriddle01]

I would tell them to f@&k right off, they clearly can't even programme their own routers correctly, now they want to screw yours up.....yeah right

 

[mattKnight]

Now, the IT firm is insisting on accessing our firewalls to set up security

I'd advise that you let them. If they break the SCN, that is their problem. However if the client gets hacked in anyway shape or form, the finger will be pointed at you (rightly or wrongly)



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[raist3001]

The Voice and Data have been separated. There is absolutely no need for them to have access to the VoIP firewalls since they do not manage the IPO's.
Between our SIP providers and just how well I lock down the Edgemarcs, it would be very, very difficult to gain access to the VoIP network.

 

[mattKnight]

With respect, you have missed my meaning, and I was not implying anything about your skill and capabilities.

What I am saying is that if the customer gets hacked in anyway, by any vector, you are open to the IT company pointing the finger at you and your firewalls. If you let them audit & harden them, it becomes their responsibility for ever. If they then break SCN, that is also their problem.

This is more about covering your are and having a big grin on your face when they screw it up.

Everything, may indeed end up rosy....

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.