Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IP Phones not connecting through vpn

Posted on 2012-03-13
17
Medium Priority
?
918 Views
Last Modified: 2012-08-13
So we had a site to site vpn between two old sonicwall 2040 firewalls.  The domain runs over the vpn.  So it's all the same domain.  The ip phones on one end connected to the phone system on the other just fine.  They aren't going over the internet.  Very average setup.  Nothing difficult.

We replaced one of the firewalls with a new Sonicwall NSA 2400.  Everything is connecting over the vpn except the ip phones.  I have gone as far as to open all services, all to all, between the two sites and put that policy at the very top of the list.  Still nothing.  

If I plug the old firwall back in, everything works.  

The new firewall does have some special voip settings, but Sonicwall said those are only for special cases.  They should be left alone and ip phones over vpn should work fine as is.  Our phone vendor also took a look and says everything on the phone system works fine, and our phone setup is very basic.  He looked at the voip specific settings on the firewall and also confirmed we didn't need to touch those.

So what could I be missing?  If all services are open, any source to any destination, and everything else works over the vpn...what could it be?  

Any help appreciated!
0
Comment
Question by:readymade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 2
17 Comments
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 400 total points
ID: 37719197
Can you ping the remote phones that do not work from you LAN side network. If not, can you ping it using the Sonicwall diagnostics ping. Did you check the Sonicwall logs for any errors?
0
 
LVL 5

Assisted Solution

by:Frank Mayer
Frank Mayer earned 1600 total points
ID: 37719350
Check the log files of the firewall and look how it handles incoming requests from those phones.
If you dont see anything enable the logserver client on the sonic firewall and send those messages to a logserver somewhere (there are plenty free logserver implementations out there). Increase the log detail and watch out for the phones and how they are handled by the 2400 firewall. I suspect that a feature of the UTM (Universal threat managment) needs some fine tuning to allow this traffic.
0
 

Author Comment

by:readymade
ID: 37720374
Pings fine, both ways.  I've looked in the logs.  Didn't really see anything.  I'll try and look further and also look into UTM.  Thanks!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Assisted Solution

by:Frank Mayer
Frank Mayer earned 1600 total points
ID: 37720424
There should be the possibility to increase the log level. But yes look at all installed modules and the corresponding logfiles.
i really cant imagine you dont see anything.
What you could do is make a wireshark trace before the firewall to see in a pcap-trace what the firewall answers to the requests from the phone. eg. constantly resets the connection.
0
 

Author Comment

by:readymade
ID: 37720461
Another question.  As for services, does "Any" really mean "Any?"  I'm allowing Any service through, but does that just include the stuff in services?  Do I need to create new services for the phones / phone system?  Thanks
0
 
LVL 5

Assisted Solution

by:Frank Mayer
Frank Mayer earned 1600 total points
ID: 37720474
Hi,
well it depends on the precedence of those services. eg. when the firewall uses "ANY" that doesnt mean the IDF or spam or whatever module will allow the  traffic. So check the UTM modules for corresponding entries to your phones and see wether a rule prohibits this traffic !
0
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 400 total points
ID: 37720492
To try and diagnose why the new Sonicwall might be stopping this traffic, turn off the Intrustion Prevention and try the phones again. If this works, then there should be something in the logs from IP when it does not work.

If that does not do it, then turn off Content Filter (if you have it on) and try again.

Also, you mentioned that you permitted ALL, was this for the VPN to LAN and the reverse.
0
 

Author Comment

by:readymade
ID: 37720496
Right, but i'm just talking about the policy and services.  As far as the policy goes, does "Any" really mean everything?  Not just what is defined in Services?  The phone system guy has a whole host of ports he says should be open.  If Any mean Any then it's not necessary.  If it doesn't.....well.  

I am checking into UTM but I think the above is a relevant concern.
0
 
LVL 5

Assisted Solution

by:Frank Mayer
Frank Mayer earned 1600 total points
ID: 37720533
Hmm "ANY" in the context of services means all ports. "ANY" in the context of ip-addresses translates to all IPs. But in a list the first entry may have precedence over the second and so on. So if you put the "ANY" rule at the beginning of your list it should always work as you expect. This way you would allow all and other rules that follow would not be matched anymore.
0
 

Author Comment

by:readymade
ID: 37720547
I have had it at the top of the list.  So hopefully that is covered then.
0
 

Author Comment

by:readymade
ID: 37721075
Turned off everything in security services.  Turned off any security on the policies.  Created new policies with custom services created just for the phone ports and put them at the top of the list.  Phones still aren't connecting.  I don't get it.

Can't see anything in the logs.  I try filtering by the source and destination addresses.  Comes back with nothing.  Logging is enabled for the relevant policies and everything else.  What do I look for in the logs?  

thanks
0
 
LVL 5

Assisted Solution

by:Frank Mayer
Frank Mayer earned 1600 total points
ID: 37721119
Well the IP or MAC-address of those phones should somehow show up.
If not try to sniff on the network cable where you expect the traffic from the phones
to the firewall. You can do this with Wireshark and a HUB device. Or perhaps your switch you are using support mirroring. If nothing shows up at all perhaps there is a connectivity issue of some kind ? Wrong cable ?
0
 

Author Comment

by:readymade
ID: 37721567
Ok I turned up the logging and am now getting some entries.  This is happening every couple minutes.   The phone is trying to connect and fails.  Doesn't look like a policy stopping it.  Something just isn't working.  Phones on our local lan connect fine.

1      03/14/2012 11:04:36.768      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49749, X1      192.168.33.48, 2944, X0      H.323 ()              
2      03/14/2012 11:04:02.384      Debug      VOIP      VoIP 192.168.63.83 (H.323) Endpoint added                                   
3      03/14/2012 11:03:31.912      Debug      VOIP      VoIP 192.168.63.83 (H.323) Endpoint removed                                   
4      03/14/2012 11:03:13.032      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49679, X1      192.168.33.48, 2944, X0      H.323 ()              
5      03/14/2012 11:01:33.288      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49988, X1      192.168.33.48, 2944, X0      H.323 ()              
6      03/14/2012 11:00:06.464      Info      VOIP      VoIP Call Disconnected      192.168.63.83, 49618, X1      192.168.33.48, 2944, X0      H.323 ()

I've tried disabling H.323, and a ton of the other settings in VOIP on the firewall.  Nada.
0
 
LVL 5

Expert Comment

by:Frank Mayer
ID: 37721890
Can you ping the phones from both sides of the VPN tunnel ??
0
 

Accepted Solution

by:
readymade earned 0 total points
ID: 37722436
Yes, I stated that above.  Everything works except the phones connecting, and calls of course.  

We have fixed the problem.  I'm not super happy with the solution though.  In the end we had to open a TON of ports, instructed to do so by Toshiba the manufacturer of our phone system.  Who knows how many of them are really needed.  At least it's just VPN to LAN and vice versa.  Still not very happy with that.

I also had the bright idea of making the gatekeeper address the private address of our firewall.  It was defaulted to 0.0.0.0.  Normally I would think this would be the private or public IP of our phone system if we were sending calls over the Internet.  We are not, so I figured maybe that needed to be the firewall since we are only making calls on the lan via vpn.  

A minute later the phone connected to the phone system and we were able to call.  Thanks for all the help and persistance.  Lots of good info here.

I also had to do it in this order:  First create policies, then set gatekeeper address.
0
 

Author Comment

by:readymade
ID: 37729924
Update:  the phones went down the next day for not apparent reason.  Finally got somebody from Sonicwall on the phone.  They saw some weird stuff in the packet sniffing and said they thought it was a firmware issue.  I did a factory default reset and install the firmware they recommended and immediately the phones came up.  

Then the WANgroupVPN wouldn't work.  If it's not one thing it's another.
0
 

Author Closing Comment

by:readymade
ID: 37736826
Tons of good troubleshooting info here.  I selected my last comment as the best answer because it directly solves my problem with my specific firewall and phone system.  I've awarded all the points to the others.  Thanks for all the help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question