Chris Millard
asked on
Can't ping IP Phones on different subnet through VPN
Set up:-
Site 1 - IP Range 192.168.1.x/24
Site 1 Gateway 192.168.1.4
Site 2 - IP Range 192.168.2.x/24
Site 2 Gateway 192.168.2.1
There is a VPN between the two sites (using a Firebox X550e at one end, and a Draytek Vigor 2800 at the other)
I can quite happily access PCs on both networks from either site.
HOWEVER, a telephone company has been contracted to install an Avaya IP Phone system.
At site 1, they can ping their phone system which is on IP 192.168.1.250, but they cannot ping the phone system at site 2 which is on IP 192.168.2.250 - and vice versa.
Site 1 - IP Range 192.168.1.x/24
Site 1 Gateway 192.168.1.4
Site 2 - IP Range 192.168.2.x/24
Site 2 Gateway 192.168.2.1
There is a VPN between the two sites (using a Firebox X550e at one end, and a Draytek Vigor 2800 at the other)
I can quite happily access PCs on both networks from either site.
HOWEVER, a telephone company has been contracted to install an Avaya IP Phone system.
At site 1, they can ping their phone system which is on IP 192.168.1.250, but they cannot ping the phone system at site 2 which is on IP 192.168.2.250 - and vice versa.
Make sure to check to see if PING allowed through the Routers.
ASKER
Yes - ping is allowed through the routers. I can ping PCs on both networks from both sites.
Also, the phone systems have a web interface, and I can only access the web interface of the system on the same subnet.
Also, the phone systems have a web interface, and I can only access the web interface of the system on the same subnet.
The most likely culprit is the Default Gateway address on the 192.168.2.250 phone system. Followed by an ACL in the 192.168.2.x network that is blocking the traffic.
ASKER
Why would the culprit be on the 192.168.2.250 phone system? I can't access 192.168.1.250 from the 192.168.2.x network either.
Also, there is absolutely NO filtering whatsoever on the Vigor router.
Also, there is absolutely NO filtering whatsoever on the Vigor router.
Ah, well you didn't say that they couldn't access inside the network.
It could be a bad gateway assigned to the phones. What model is the phone? Are they full IP phones or direct connected to something like an IP Office box? Are they using Static or DHCP on the LAN? If getting DHCP, what device is assigning the IP address and is it assigning correct info?
ASKER
@sr75 - They CAN be accessed inside the network. What I was saying is that I cannot access 192.168.1.250 from the 192.168.2.x network, just the same as I cannot access 192.168.2.250 from the 192.168.1.x network.
BUT I can access 192.168.1.250 from the 192.168.1.x network, and can access 192.168.2.250 from the 192.168.2.x network.
BUT I can access 192.168.1.250 from the 192.168.1.x network, and can access 192.168.2.250 from the 192.168.2.x network.
ASKER
@colonytire - I have absolutely no idea what the models are. All I know is that the system's are IP Office System 7.0
We have no control over the phone systems. They are being supplied and "supported" by an external company - they will log in remotely and make any changes. The installation company just asked for me to provide the IP details, which I have checked and checked again, so I know they are correct!
I have other PCs at the high IP range, and I can ping those just fine, so I wonder if there is something in the phone system software that is stopping the 2 subnets from being able to communicate - i.e, does the phone system realise that I'm pinging from a different subnet, and subsequently drop the packets? I just don't have any idea about how these phones are configured, and I have no way to find out.
We have no control over the phone systems. They are being supplied and "supported" by an external company - they will log in remotely and make any changes. The installation company just asked for me to provide the IP details, which I have checked and checked again, so I know they are correct!
I have other PCs at the high IP range, and I can ping those just fine, so I wonder if there is something in the phone system software that is stopping the 2 subnets from being able to communicate - i.e, does the phone system realise that I'm pinging from a different subnet, and subsequently drop the packets? I just don't have any idea about how these phones are configured, and I have no way to find out.
Yes, the phone system acts as a router and is where I suspect the configurations need to be adjusted.
ASKER
Do these systems have a read only username and password so that I can see the config without being able to change it?
The default using the Manager client software (typically installed on the Voicemail system) User&Pass= Administrator will let you in.
ASKER
Excellent - I'm in. Now, looking at the IP Networking, I can see 3 IP Routes:-
Destination Subnet Int Name Int Type IP Route Type
192.168.1.0 255.255.255.0 LAN1 LAN Directly Attached
192.168.43.0 255.255.255.0 LAN2(WAN) LAN Directly Attached
192.168.99.0 255.255.255.0 RemoteManager DialUp Static
Apart from that, I can't see how the LAN is configured at all...
Destination Subnet Int Name Int Type IP Route Type
192.168.1.0 255.255.255.0 LAN1 LAN Directly Attached
192.168.43.0 255.255.255.0 LAN2(WAN) LAN Directly Attached
192.168.99.0 255.255.255.0 RemoteManager DialUp Static
Apart from that, I can't see how the LAN is configured at all...
I dont see where there is a route directing trafic to your 192.168.1.4 gateway thus allowing the VPN connection to be active.
ASKER
Me neither, but I don't see where that information or indeed the IP address for the device gets entered.
That route would be needed for communicating from the remote location.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK - I've not done ANYTHING to the VPN, and the phone company claim not to have done anything with the phone system, but the phone systems can now be pinged from either end...