VPN Annoyance 2

[StephenWyker]

I have some 9608 and 9620C phones for some remote users. Site A has 10 people, Site B has 3. Fortigate 60E at home office. First phone VPNs fine. Second phone, various issues from retrieval failed, to just hanging at discover. If I try with a second 9608, it will connect, but lock out the other phone or cause it to reboot.

Monitor shows the same info as the working phone. IPSec monitor in Fortigate shows good as well.

Does anyone have a useful solution to allow my remote phones to connect? Getting another piece of hardware at the remote sites is NOT an option as its a shared coworking space and they will not let us house any equipment in their wiring closets.

 

[telecomtekperson]

What are the subnets at home?

if they are the same subnet, i think that would cause issues....

 

[StephenWyker]

IP Office is 192.168.42.0/24 - remotes vary but 10.0.112.0/24 or 10.1.111.0/24

 

[TouchToneTommy]

Are the phones using the built in ipsec VPN, or do you have a site to site VPN set up?

We see this with hosted systems
"Disable all SIP transformations, fix-ups, inspections, or ALG's on the firewalls, routers, and switches"

Fortigate:

Disabling the SIP ALG in a VoIP profile
SIP is enabled by default in a VoIP profile. If you are just using the VoIP profile for SCCP you can use the following command to disable SIP in the VoIP profile.

config voip profile
edit VoIP_Pro_2
config sip
set status disable
end

 

[StephenWyker]

Phones are using built in IPSec -- When I put a meraki VPN appliance in line, it works fine (as one would expect) -- but I can't put a 600$ appliance in each office for 1 or 2 phones ;-) I'll try the fortigate suggestion above. Thanks Tommy

 

[intrigrant]

You need a policy based VPN appliance as each phone use a separate VPN connection.
Now both phones use the same VPN tunnel causing one to connect but it will loose connection if the second one connects.