Solved

IP Phones not connecting through vpn

Posted on 2012-03-13
17
908 Views
Last Modified: 2012-08-13
So we had a site to site vpn between two old sonicwall 2040 firewalls.  The domain runs over the vpn.  So it's all the same domain.  The ip phones on one end connected to the phone system on the other just fine.  They aren't going over the internet.  Very average setup.  Nothing difficult.

We replaced one of the firewalls with a new Sonicwall NSA 2400.  Everything is connecting over the vpn except the ip phones.  I have gone as far as to open all services, all to all, between the two sites and put that policy at the very top of the list.  Still nothing.  

If I plug the old firwall back in, everything works.  

The new firewall does have some special voip settings, but Sonicwall said those are only for special cases.  They should be left alone and ip phones over vpn should work fine as is.  Our phone vendor also took a look and says everything on the phone system works fine, and our phone setup is very basic.  He looked at the voip specific settings on the firewall and also confirmed we didn't need to touch those.

So what could I be missing?  If all services are open, any source to any destination, and everything else works over the vpn...what could it be?  

Any help appreciated!
0
Comment
Question by:readymade
  • 9
  • 6
  • 2
17 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 100 total points
Comment Utility
Can you ping the remote phones that do not work from you LAN side network. If not, can you ping it using the Sonicwall diagnostics ping. Did you check the Sonicwall logs for any errors?
0
 
LVL 5

Assisted Solution

by:Yohei0815
Yohei0815 earned 400 total points
Comment Utility
Check the log files of the firewall and look how it handles incoming requests from those phones.
If you dont see anything enable the logserver client on the sonic firewall and send those messages to a logserver somewhere (there are plenty free logserver implementations out there). Increase the log detail and watch out for the phones and how they are handled by the 2400 firewall. I suspect that a feature of the UTM (Universal threat managment) needs some fine tuning to allow this traffic.
0
 

Author Comment

by:readymade
Comment Utility
Pings fine, both ways.  I've looked in the logs.  Didn't really see anything.  I'll try and look further and also look into UTM.  Thanks!
0
 
LVL 5

Assisted Solution

by:Yohei0815
Yohei0815 earned 400 total points
Comment Utility
There should be the possibility to increase the log level. But yes look at all installed modules and the corresponding logfiles.
i really cant imagine you dont see anything.
What you could do is make a wireshark trace before the firewall to see in a pcap-trace what the firewall answers to the requests from the phone. eg. constantly resets the connection.
0
 

Author Comment

by:readymade
Comment Utility
Another question.  As for services, does "Any" really mean "Any?"  I'm allowing Any service through, but does that just include the stuff in services?  Do I need to create new services for the phones / phone system?  Thanks
0
 
LVL 5

Assisted Solution

by:Yohei0815
Yohei0815 earned 400 total points
Comment Utility
Hi,
well it depends on the precedence of those services. eg. when the firewall uses "ANY" that doesnt mean the IDF or spam or whatever module will allow the  traffic. So check the UTM modules for corresponding entries to your phones and see wether a rule prohibits this traffic !
0
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 100 total points
Comment Utility
To try and diagnose why the new Sonicwall might be stopping this traffic, turn off the Intrustion Prevention and try the phones again. If this works, then there should be something in the logs from IP when it does not work.

If that does not do it, then turn off Content Filter (if you have it on) and try again.

Also, you mentioned that you permitted ALL, was this for the VPN to LAN and the reverse.
0
 

Author Comment

by:readymade
Comment Utility
Right, but i'm just talking about the policy and services.  As far as the policy goes, does "Any" really mean everything?  Not just what is defined in Services?  The phone system guy has a whole host of ports he says should be open.  If Any mean Any then it's not necessary.  If it doesn't.....well.  

I am checking into UTM but I think the above is a relevant concern.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 5

Assisted Solution

by:Yohei0815
Yohei0815 earned 400 total points
Comment Utility
Hmm "ANY" in the context of services means all ports. "ANY" in the context of ip-addresses translates to all IPs. But in a list the first entry may have precedence over the second and so on. So if you put the "ANY" rule at the beginning of your list it should always work as you expect. This way you would allow all and other rules that follow would not be matched anymore.
0
 

Author Comment

by:readymade
Comment Utility
I have had it at the top of the list.  So hopefully that is covered then.
0
 

Author Comment

by:readymade
Comment Utility
Turned off everything in security services.  Turned off any security on the policies.  Created new policies with custom services created just for the phone ports and put them at the top of the list.  Phones still aren't connecting.  I don't get it.

Can't see anything in the logs.  I try filtering by the source and destination addresses.  Comes back with nothing.  Logging is enabled for the relevant policies and everything else.  What do I look for in the logs?  

thanks
0
 
LVL 5

Assisted Solution

by:Yohei0815
Yohei0815 earned 400 total points
Comment Utility
Well the IP or MAC-address of those phones should somehow show up.
If not try to sniff on the network cable where you expect the traffic from the phones
to the firewall. You can do this with Wireshark and a HUB device. Or perhaps your switch you are using support mirroring. If nothing shows up at all perhaps there is a connectivity issue of some kind ? Wrong cable ?
0
 

Author Comment

by:readymade
Comment Utility
Ok I turned up the logging and am now getting some entries.  This is happening every couple minutes.   The phone is trying to connect and fails.  Doesn't look like a policy stopping it.  Something just isn't working.  Phones on our local lan connect fine.

1      03/14/2012 11:04:36.768      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49749, X1      192.168.33.48, 2944, X0      H.323 ()              
2      03/14/2012 11:04:02.384      Debug      VOIP      VoIP 192.168.63.83 (H.323) Endpoint added                                   
3      03/14/2012 11:03:31.912      Debug      VOIP      VoIP 192.168.63.83 (H.323) Endpoint removed                                   
4      03/14/2012 11:03:13.032      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49679, X1      192.168.33.48, 2944, X0      H.323 ()              
5      03/14/2012 11:01:33.288      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49988, X1      192.168.33.48, 2944, X0      H.323 ()              
6      03/14/2012 11:00:06.464      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49618, X1      192.168.33.48, 2944, X0      H.323 ()

I've tried disabling H.323, and a ton of the other settings in VOIP on the firewall.  Nada.
0
 
LVL 5

Expert Comment

by:Yohei0815
Comment Utility
Can you ping the phones from both sides of the VPN tunnel ??
0
 

Accepted Solution

by:
readymade earned 0 total points
Comment Utility
Yes, I stated that above.  Everything works except the phones connecting, and calls of course.  

We have fixed the problem.  I'm not super happy with the solution though.  In the end we had to open a TON of ports, instructed to do so by Toshiba the manufacturer of our phone system.  Who knows how many of them are really needed.  At least it's just VPN to LAN and vice versa.  Still not very happy with that.

I also had the bright idea of making the gatekeeper address the private address of our firewall.  It was defaulted to 0.0.0.0.  Normally I would think this would be the private or public IP of our phone system if we were sending calls over the Internet.  We are not, so I figured maybe that needed to be the firewall since we are only making calls on the lan via vpn.  

A minute later the phone connected to the phone system and we were able to call.  Thanks for all the help and persistance.  Lots of good info here.

I also had to do it in this order:  First create policies, then set gatekeeper address.
0
 

Author Comment

by:readymade
Comment Utility
Update:  the phones went down the next day for not apparent reason.  Finally got somebody from Sonicwall on the phone.  They saw some weird stuff in the packet sniffing and said they thought it was a firmware issue.  I did a factory default reset and install the firmware they recommended and immediately the phones came up.  

Then the WANgroupVPN wouldn't work.  If it's not one thing it's another.
0
 

Author Closing Comment

by:readymade
Comment Utility
Tons of good troubleshooting info here.  I selected my last comment as the best answer because it directly solves my problem with my specific firewall and phone system.  I've awarded all the points to the others.  Thanks for all the help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Almost all Internet protocol telephones have built-in switches at the back that allow you to connect your personal computer to one port and use the other port to connect your phone to to a Cisco switch.   Why we need to connect the PC to the pho…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now