Question

Cisco Call Manager 7.0.1 phone registration issue

Asked by: pathix

I'm having a bizarre phone registration issue that TAC is not able to understand , and i'm hoping someone may have ran into the same issue.

I have a Call Manager 7.0.1 server in location A, running in production, with 40 odd phones registered to it fine, everything is working properly.. We have Location B (Remote Site) which we want phones to register on our Call Manager in Location A. Between the sites we have an IPSEC Tunnel running over a netscreen ssg5 and a netscreen 25.  I have a separate vlan for voice traffic set at the remote office on the dhcp server, and the phone gets an ip fine, points to the tftp of the call manager here, downloads its' locale and ofhter data,, get's an auto registration DN from our call manager, but then just unregisters itself, with error 'DNS UNKNOWN HOST' . I've confirmed all dns entries for the call managers are correct, and we've even changed the information on the call managers from name to ip ... still no go... i've attached a network diagram(fake ip's) and the console log of the phone and status messages.. hopefully someone can help me out here as i'm at a loss

The problem phone is a 7945, however i've tried with a 7965 at the same location and it has not worked either. IIf, however I install cisco IP communicator on a pc that's on that 3750 switch, it register's fine and functions properly.. (Tried switching the voice vlan of the phones themselves to vlan 1 when noticed the ip communicator worked, however it made no difference)(

The phone registration status on the call manager stays in 'Unknown' status.. And the phone itself has the incorrect time on the display and that's it.. no DN or anything else.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-08 at 09:55:25ID24472868
Topics

Voice Over IP

,

Network Operations

Participating Experts
4
Points
500
Comments
17

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco GRE tunnel with IPSec and Multicast
    Is it possible to build a GRE tunnel using IPSec AND pass multicast traffic through it? I have seen some literature on the Cisco website that suggests this cannot be done, but I'm not sure.
  2. Cisco 1760 - IPSec Tunnel
    Hi All, I have asked to configure a site to site tunnel for the network and am getting a lot of mixed information about it. I have a Cisco 1760 - without the VPN Module. I assumed this would be the end of it, and that we would need that module, but I found this -> http:...
  3. Cisco 831 IPSEC Tunnel
    I have a bunch of Cisco 831 and SB101 Routers that I am trying ot run IPSec tunnels on. I don't think the tunnels are actually using IPSec. How can I tell if they are running IPSec or not?
  4. ASA to 1812 IPSEC Tunnel
    I am trying to set up an IPSEC tunnel between a site with an ASA 5510 and another site that has a Cisco 1812. The configs are attached. what am I missing to make this work? I need traffic to flow unobstructed from the 192.168.75.x subnet to the 50.x subnet and vis versa. T...
  5. Cisco VLAN
    I've set up a vlan but is not working. I have a cisco asa that i have set up a dmz on. i have a server that is in the same subnet as the dmz interface. Between the two devices i have two cisco switches. One is a cisco slm2024 and the other is a cisco slm2048. I've set up the...
  6. Cisco IPSec tunnel with other vendors
    I am trying to setup IPSec tunnel (host to host) with crypto maps, but the tunnel doe not seem to be coming up, does cisco IPSec interoperate with other vendors? The box on other side is Linux based voice product. Is there any way to debug the tunnels like on cisco dev ?? ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sangamcPosted on 2009-06-08 at 11:27:09ID: 24574907

i believe the first thing you should do is disable SIP ALG on the juniper devices if it is not already disabled. i have a similar setup without the cisco routers. i also had to enable source based routing on the outgoing juniper policy for the VOIP traffic.

 

by: cat6509Posted on 2009-06-08 at 14:19:53ID: 24576389

Are the phones getting NAT'd unintentionally (perhaps the entire Voice VLAN)?  That might cause the same symptoms.

 

by: sangamcPosted on 2009-06-08 at 15:21:23ID: 24576764

my mistake ... i meant to say source based NAT, and not source based routing.

 

by: pathixPosted on 2009-06-09 at 03:15:39ID: 24579594

Hrmm.. Source based routing may make sense here... it's bizarre actually, if i plug something into the 3750 switch at the remote site i can ping everywhere, traceroute etc.. but if i do it directly on the 3750 switch i can't get anywhere.. doesn't hop anywhere.. i'm wondering if it may be more of a routing issue, the only thing that confuses me is that the phone communicates with the call manager, the call manager sees it trying to register, then it just disconnects... odd behavior...

Sangamc: I've disabled SIP ALG but still no luck... i've got nat setup on both trusted sides of the firewall (As most firewall's do) when you say source based Nat'ing is this a config on the juniper itself? Where do i config this or is it a cli?

 

by: sangamcPosted on 2009-06-09 at 05:54:03ID: 24580539

yes source based NAT is a config that goes on the policy, from the webui if you go to the policy list and click on 'edit' for the policy that would carry traffic from the phone to the server. click on advanced and you will see two different NAT settings for the policy, one is source translation and the other is destination translation. you want to enable source translation in this case.

from the cli this is what my source nat policy looks like

set policy id 1 from "Trust" to "Untrust"  "Voip-tel1" "Any" "ANY" nat src permit log
set policy id 1
exit

 

by: pathixPosted on 2009-06-09 at 11:18:25ID: 24583977

Quick question, does source translation need to be turned on on both sides of the tunnel? (local and remote firewalls) and do i just do it on the trust to untrust policy or both?

 

by: sangamcPosted on 2009-06-09 at 11:23:00ID: 24584028

source NAT should only be required on the juniper that has the VOIP phone sitting behind it. this setup worked in my network. source based NAT on both junipers for us caused one way audio problems. (one party could hear the other party only)

 

by: pathixPosted on 2009-06-10 at 04:17:47ID: 24589987

Tried source based natting on the policy last night but still made no headway with it...  i'm at a loss

 

by: cat6509Posted on 2009-06-10 at 09:18:45ID: 24593353

time to break out wireshark (free network sniffer http://www.wireshark.org/download.html )  maybe ?

some instructions for use with a Cisco switch:

http://supportwiki.cisco.com/ViewWiki/index.php/Cable_Monitor_Feature

 

by: cat6509Posted on 2009-06-10 at 09:21:21ID: 24593384

hmmm, i didn't preview that cisco link well enough, you basically need only this part

Switch(conf)# monitor session 1 source interface Gi0/1
Switch(conf)# monitor session 1 destination interface Fa0/17


where you specify the source port as the port the phone is using and the destination where the wireshark machine sits (that machine BTW will not be able to do anything else whilst acting as a monitor destination)

 

by: pathixPosted on 2009-06-10 at 09:31:37ID: 24593510

I've reviewed wireshark traces however could not find anything specific that stands out to me, i'm reluctnat to attach wireshark traces due to sensitivty of the network, is there anything i should look for?

 

by: cordeosPosted on 2009-06-11 at 03:30:07ID: 24600483

Hello Pathix.   Since you are getting the image download and basic settings set on the phone you can be pretty sure that your routing, VPN and other network infrastructure are working properly.  You should be able to get your phones registering with three quick steps:
1) check that your CCM auto reg is working (i.e. is enabled and there are DN numbers left)
2) open both the remote SSG and NS25 firewalls and disable in ALG (Configuration -> Advanced -> ALG) the following:  SCCP, H323 and MGCP.
3) delete the "half" created auto reg entries for the remote phone, and reset them.

After the above, your phones should come up no problem.

*** Technical details:  Unfortunately firewall makers and network app makers have never been good at getting together to decide what is good and bad application traffic.  Cisco is infamous for not sharing changing to is SCCP and MGCP traffic.  In newer CCM 7 and newer phone firmware some of the data sent between the phone devices has changed, which the Netscreen ALG doesnt like.  In general, you should often disable this type Application layer checking on firewalls in a multi-site VoIP system.  It will cause nothing but headaches.

Hope this works for you.

 

by: pathixPosted on 2009-06-11 at 04:12:11ID: 24600729

I'm almost there!! I disabled SCCP, MGCP, RTSP, alg's on both ends of the firewlal,  reset the phone, and the phone registered with cm, i could see it saying it waws registered, then within 5 seconds it unregistered itself.. I called the phone and it rang for about 1/8th of a ring then i got a busy signal... but the phone registered which is a step further.. now i get this in the debug display page

16:07:27 Invalid SCCP message! : ID :9b: PrimaryConnection is NULL - close connection and alarm in future 16:07:27 14: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=UCM-closed-TCP 16:08:23 18: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=Failback 16:09:23 14: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=UCM-closed-TCP 16:09:23 Invalid SCCP message! : ID :9b: PrimaryConnection is NULL - close connection and alarm in future 16:09:23 14: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=UCM-closed-TCP 16:10:18 18: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=Failback 16:11:18 14: Name=SEP0024C4BE4932 Load= SCCP45.8-4-3S Last=UCM-closed-TCP

 

Any idea what would cause an invalid sccp message?

 

by: cordeosPosted on 2009-06-11 at 08:36:10ID: 24603593

Did you delete the original phone entries and allow new ones to be created?   Are you doing any "screening" on the SSG or NS25 firewalls?  Check for UDP or TCP flood alerts on the netscreens.

 

by: cordeosPosted on 2009-06-12 at 02:13:36ID: 24610385

Also, make sure "Remote Device" is selected in the CallManager phone properties and that the phones are using the latest firmware for your current 7.0.1 CallManager (and not a later firmware).   You should consider upgrading to CallManager 7.1.2a as it fixes a lot of issue, or at least the latest in the 7.0 series.

 

by: pathixPosted on 2009-06-12 at 05:07:46ID: 24611269

Cordeos.. making those changes firxed hte issue! Thanks a million!! you're a life saver... I just upgraded to 7.0.2 last night because we were having an issue with caller name display not wokring on pstn calls... apparently a bug fix in 7.0.2 but it did not fix anything..

 

by: kunalpatelPosted on 2009-09-21 at 02:33:00ID: 25381281

This has fixed my issue too - Kunal Patel

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...