VPN phone stuck at "Discover" 1

[james1052]

I have a VPN phone which cannot connect. It is at remote Site B and is behind a Cisco ASA firewall. I am trying to get it to connect to the phone system at Site A. It works just fine if I bring the VPN phone to my home, but it does not work at Site B when behind the ASA firewall.

At first I could not get it to VPN at all but now that I have configured my access-lists on my ASA to allow IKE port 500, it can at least VPN. However, after it successfully VPNs, it gets stuck at "Discover [phone-server-ip]" The IP address listed on the LCD is correct, but it never gets past that. Is there another port I need to open for it to talk to the phone system? Please help. I am stuck sitting here trying to figure out what to do.

 

[amriddle01]

Probably best asked in the Cisco forum, as we know that's the cause



"No problem monkey socks

 

[james1052]

I can handle the Cisco side of it. I just need to know if it is trying to talk on a certain port that I need to unblock and if so, what port?

 

[amriddle01]

It uses 1720 and 1719 I believe, but you shouldn't block any ports within a VPN tunnel, kind of defeats the purpose



"No problem monkey socks

 

[james1052]

I just unblocked those right before I saw your post and am rebooting the phone to see the result. I know what you mean about the VPN in most cases. But remember, this is not a site-to-site VPN. This is just a VPN phone sitting out on a remote site that is not connected to Site A with a site-to-site VPN.

 

[james1052]

Still broken. Per my new thread, I may need some Cisco help after all, based on some things I found in my research...

 

[tlpeter]

Did you also open the ports for RTP?


BAZINGA!

I'm not insane, my mother had me tested!

 

[hairlessupportmonkey]

The cisco asa works sweet as a nut with VPN phones. there shouldn't be any firewall issues as you are routing private traffic over a VPN. You need to be running the VPN in config mode and ensure you are assigning an IP to the handset via a DHCP pool in your VPN setup on the ASA

ensure you have a route on the IPO pointing the trusted network from the remote end (NOT the virtual IP) to your ASA.

Generally this is all I do and it works every time.

Check the protected network setting on the handset. dont leave it at 0.0.0.0/0 make it specific to the host network.

ACSS - SME
General Geek

 

[james1052]

What you are saying about the VPN not needing any further ports makes sense.

How do you account for the fact that the phone is working with no problems from a residential network? If I bring it home or to any other network, it works.

I am new to Avaya IPO. I'm a network guy, not a phone guy. Can you help me understand better how to run the VPN in "config mode" and ensure I have "a route on the IPO pointing the trusted network from the remote end (NOT the virtual IP) to [my] ASA"? I'm clueless on how to do that. Also, on the protected network, are you saying to set it to be the network address of the network the phone is on at Site B? Like if the Site B ASA is 172.16.100.1, then set it to 172.16.100.0/16? Thanks so much for the help. I'm at the end of my rope with this one.

 

[hairlessupportmonkey]

OK re-reading your OP.

why not create a site to site vpn?

ACSS - SME
General Geek

 

[james1052]

Don't have the Cisco licenses.

Don't you find it strange that it works from anywhere else but not when trying to initiate a connection from behind an ASA? I have made the following changes on the ASA at Site B with no joy:


policy-map global_policy
class inspection_default
no inspect h323 h225
no inspect h323 ras
no inspect sip

no fixup protocol tftp 69
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol sip udp 5060
no fixup protocol skinny 2000

 

[hairlessupportmonkey]

no fixup?

how old is that firmware?

ACSS - SME
General Geek

 

[hairlessupportmonkey]

*cough*

https://dl.dropboxusercontent.com/u...40 8.2(1) Keymaker v1.0 (Sep 2009) by SSG.exe

turn off AV, but its safe.

if you need firmware and ADSM let me know!

ACSS - SME
General Geek

 

[james1052]

Wow....I would LOVE to get the updated firmware and ADSM! Thanks!

The ASA is currently at 8.0(3)...

 

[james1052]

According to this, there are no specific RTP ports. It's all dynamic?...

http://www.cs.columbia.edu/~hgs/rtp/faq.html#ports

 

[hairlessupportmonkey]

https://dl.dropboxusercontent.com/u/8356933/asdm-712.bin

https://dl.dropboxusercontent.com/u/8356933/asa911-4-k8.bin

Happy Days!


ACSS - SME
General Geek

 

[hairlessupportmonkey]

BTW that key gen will enable unlimited hosts and 3DES VPN amongst other things!

ACSS - SME
General Geek

 

[james1052]

Thanks bunches!!

 

[hairlessupportmonkey]

Beware, from firmware 8.4 and on, NAT is a different animal and all your hosts must have aliases Deep joy. I moved from Cisco to Watchguard. Life is now much easier.

ACSS - SME
General Geek

 

[james1052]

Good to know!