IP Phones not connecting through vpn

So we had a site to site vpn between two old sonicwall 2040 firewalls.  The domain runs over the vpn.  So it's all the same domain.  The ip phones on one end connected to the phone system on the other just fine.  They aren't going over the internet.  Very average setup.  Nothing difficult.

We replaced one of the firewalls with a new Sonicwall NSA 2400.  Everything is connecting over the vpn except the ip phones.  I have gone as far as to open all services, all to all, between the two sites and put that policy at the very top of the list.  Still nothing.  

If I plug the old firwall back in, everything works.  

The new firewall does have some special voip settings, but Sonicwall said those are only for special cases.  They should be left alone and ip phones over vpn should work fine as is.  Our phone vendor also took a look and says everything on the phone system works fine, and our phone setup is very basic.  He looked at the voip specific settings on the firewall and also confirmed we didn't need to touch those.

So what could I be missing?  If all services are open, any source to any destination, and everything else works over the vpn...what could it be?  

Any help appreciated!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you ping the remote phones that do not work from you LAN side network. If not, can you ping it using the Sonicwall diagnostics ping. Did you check the Sonicwall logs for any errors?
Frank MayerTechnical Voip SupportCommented:
Check the log files of the firewall and look how it handles incoming requests from those phones.
If you dont see anything enable the logserver client on the sonic firewall and send those messages to a logserver somewhere (there are plenty free logserver implementations out there). Increase the log detail and watch out for the phones and how they are handled by the 2400 firewall. I suspect that a feature of the UTM (Universal threat managment) needs some fine tuning to allow this traffic.
readymadeAuthor Commented:
Pings fine, both ways.  I've looked in the logs.  Didn't really see anything.  I'll try and look further and also look into UTM.  Thanks!
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Frank MayerTechnical Voip SupportCommented:
There should be the possibility to increase the log level. But yes look at all installed modules and the corresponding logfiles.
i really cant imagine you dont see anything.
What you could do is make a wireshark trace before the firewall to see in a pcap-trace what the firewall answers to the requests from the phone. eg. constantly resets the connection.
readymadeAuthor Commented:
Another question.  As for services, does "Any" really mean "Any?"  I'm allowing Any service through, but does that just include the stuff in services?  Do I need to create new services for the phones / phone system?  Thanks
Frank MayerTechnical Voip SupportCommented:
well it depends on the precedence of those services. eg. when the firewall uses "ANY" that doesnt mean the IDF or spam or whatever module will allow the  traffic. So check the UTM modules for corresponding entries to your phones and see wether a rule prohibits this traffic !
To try and diagnose why the new Sonicwall might be stopping this traffic, turn off the Intrustion Prevention and try the phones again. If this works, then there should be something in the logs from IP when it does not work.

If that does not do it, then turn off Content Filter (if you have it on) and try again.

Also, you mentioned that you permitted ALL, was this for the VPN to LAN and the reverse.
readymadeAuthor Commented:
Right, but i'm just talking about the policy and services.  As far as the policy goes, does "Any" really mean everything?  Not just what is defined in Services?  The phone system guy has a whole host of ports he says should be open.  If Any mean Any then it's not necessary.  If it doesn't.....well.  

I am checking into UTM but I think the above is a relevant concern.
Frank MayerTechnical Voip SupportCommented:
Hmm "ANY" in the context of services means all ports. "ANY" in the context of ip-addresses translates to all IPs. But in a list the first entry may have precedence over the second and so on. So if you put the "ANY" rule at the beginning of your list it should always work as you expect. This way you would allow all and other rules that follow would not be matched anymore.
readymadeAuthor Commented:
I have had it at the top of the list.  So hopefully that is covered then.
readymadeAuthor Commented:
Turned off everything in security services.  Turned off any security on the policies.  Created new policies with custom services created just for the phone ports and put them at the top of the list.  Phones still aren't connecting.  I don't get it.

Can't see anything in the logs.  I try filtering by the source and destination addresses.  Comes back with nothing.  Logging is enabled for the relevant policies and everything else.  What do I look for in the logs?  

Frank MayerTechnical Voip SupportCommented:
Well the IP or MAC-address of those phones should somehow show up.
If not try to sniff on the network cable where you expect the traffic from the phones
to the firewall. You can do this with Wireshark and a HUB device. Or perhaps your switch you are using support mirroring. If nothing shows up at all perhaps there is a connectivity issue of some kind ? Wrong cable ?
readymadeAuthor Commented:
Ok I turned up the logging and am now getting some entries.  This is happening every couple minutes.   The phone is trying to connect and fails.  Doesn't look like a policy stopping it.  Something just isn't working.  Phones on our local lan connect fine.

1      03/14/2012 11:04:36.768      Info      VOIP      VoIP Call Disconnected, 49749, X1, 2944, X0      H.323 ()              
2      03/14/2012 11:04:02.384      Debug      VOIP      VoIP (H.323) Endpoint added                                   
3      03/14/2012 11:03:31.912      Debug      VOIP      VoIP (H.323) Endpoint removed                                   
4      03/14/2012 11:03:13.032      Info      VOIP      VoIP Call Disconnected, 49679, X1, 2944, X0      H.323 ()              
5      03/14/2012 11:01:33.288      Info      VOIP      VoIP Call Disconnected, 49988, X1, 2944, X0      H.323 ()              
6      03/14/2012 11:00:06.464      Info      VOIP      VoIP Call Disconnected, 49618, X1, 2944, X0      H.323 ()

I've tried disabling H.323, and a ton of the other settings in VOIP on the firewall.  Nada.
Frank MayerTechnical Voip SupportCommented:
Can you ping the phones from both sides of the VPN tunnel ??
readymadeAuthor Commented:
Yes, I stated that above.  Everything works except the phones connecting, and calls of course.  

We have fixed the problem.  I'm not super happy with the solution though.  In the end we had to open a TON of ports, instructed to do so by Toshiba the manufacturer of our phone system.  Who knows how many of them are really needed.  At least it's just VPN to LAN and vice versa.  Still not very happy with that.

I also had the bright idea of making the gatekeeper address the private address of our firewall.  It was defaulted to  Normally I would think this would be the private or public IP of our phone system if we were sending calls over the Internet.  We are not, so I figured maybe that needed to be the firewall since we are only making calls on the lan via vpn.  

A minute later the phone connected to the phone system and we were able to call.  Thanks for all the help and persistance.  Lots of good info here.

I also had to do it in this order:  First create policies, then set gatekeeper address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
readymadeAuthor Commented:
Update:  the phones went down the next day for not apparent reason.  Finally got somebody from Sonicwall on the phone.  They saw some weird stuff in the packet sniffing and said they thought it was a firmware issue.  I did a factory default reset and install the firmware they recommended and immediately the phones came up.  

Then the WANgroupVPN wouldn't work.  If it's not one thing it's another.
readymadeAuthor Commented:
Tons of good troubleshooting info here.  I selected my last comment as the best answer because it directly solves my problem with my specific firewall and phone system.  I've awarded all the points to the others.  Thanks for all the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.