Raki Reply
asked on
Shoretel Switch unable to communicate to Shoretel Server + switch send a RST
Hello All,
We had a MPLS connectivity between our HQ and branch, we have recently migrated to IPSec VPN and i have enabled all ports between the HQ Soretel server and the branch Office. We can do a ping and access the Shoretel Branch swithc but Swith fails to Pair up as its sending RST packets back to HQ server.
Will SHoretel works fine in IPsec ? do i need to do anything to avoid this issue.
Shorele guys says there is a network issue Port 5452 seems Filtered intermittently. I have checked the config with Cisco Support, they verified and confirmed ports open and nothing found in packet capture.
can any one suggest over my case ? below are the Logs
tmsncc log shows hq cannot communicate to this switch
00:00:12.321 ( 5072: 6528) cco_cmd: clnt_call error: status= 3 (RPC_CANTSEND)
00:00:12.321 ( 5072: 6528) ncc_connect_setup: --> -20 (RPC_ERROR)
00:00:12.321 ( 5072: 6528) ncc_connect_to_switch: "10.104.6.7", 5452
00:00:12.327 ( 5072: 6528) 9, (19.47.5900.0) "10.104.6.7", "00-10-49-3D-2D-5B", 25(SG4-30) Flash, "en-US", (1.1.3.27),"3 d + 08:12:45",0
00:00:12.327 ( 5072: 6528) ncc_event_connect (2018/06/11 07:00:12.327, +7)
00:00:22.328 ( 5072: 6528) readtcp wfmo timeout
00:00:22.328 ( 5072: 6528) sw_cmd: clnt_call error: status= 5 (RPC_TIMEDOUT)
00:00:22.328 ( 5072: 6528) nec_event_connect_ex: --> -20 (RPC_ERROR)
00:00:26.314 ( 5072: 6528) ncc_connect_to_switch: "10.104.6.7", 5452
since the ip address changed to a different network, this may be firewall issue. There are no other switches that the server is not able to connect to only this switch.
tmsncc keyword search "ncc_connect_to_switch"
1. pcap filter used
udp.port eq 5440 and ip.addr==10.104.6.7
results= hq server does communicate to swtich and switch responds udp port 5440 ( location service ) port
2. pcap filter used
tcp.port eq 5452 and ip.addr==10.104.6.7
results=you will see the hq server communicate with the switch but then you will see the switch send a RST ( connection reset ) back to the hq server.
3. pcap filter used to confirm udp port 5452 comm between hq and switch
tcp.analysis.retransmissio
results= hq tries to communicate with switch on udp port 5452 , switch does not respond. hence lost communications with the switch via director.
4. pcap filter used to confirm connection reset
tcp.flags.reset==1
results= switch sends a connection reset to hq server. there are other connection resets shown with this filter to other ips but do not look like they belong to pbx system
One Side# Cisco 4431 and another side Sonic wall
We had a MPLS connectivity between our HQ and branch, we have recently migrated to IPSec VPN and i have enabled all ports between the HQ Soretel server and the branch Office. We can do a ping and access the Shoretel Branch swithc but Swith fails to Pair up as its sending RST packets back to HQ server.
Will SHoretel works fine in IPsec ? do i need to do anything to avoid this issue.
Shorele guys says there is a network issue Port 5452 seems Filtered intermittently. I have checked the config with Cisco Support, they verified and confirmed ports open and nothing found in packet capture.
can any one suggest over my case ? below are the Logs
tmsncc log shows hq cannot communicate to this switch
00:00:12.321 ( 5072: 6528) cco_cmd: clnt_call error: status= 3 (RPC_CANTSEND)
00:00:12.321 ( 5072: 6528) ncc_connect_setup: --> -20 (RPC_ERROR)
00:00:12.321 ( 5072: 6528) ncc_connect_to_switch: "10.104.6.7", 5452
00:00:12.327 ( 5072: 6528) 9, (19.47.5900.0) "10.104.6.7", "00-10-49-3D-2D-5B", 25(SG4-30) Flash, "en-US", (1.1.3.27),"3 d + 08:12:45",0
00:00:12.327 ( 5072: 6528) ncc_event_connect (2018/06/11 07:00:12.327, +7)
00:00:22.328 ( 5072: 6528) readtcp wfmo timeout
00:00:22.328 ( 5072: 6528) sw_cmd: clnt_call error: status= 5 (RPC_TIMEDOUT)
00:00:22.328 ( 5072: 6528) nec_event_connect_ex: --> -20 (RPC_ERROR)
00:00:26.314 ( 5072: 6528) ncc_connect_to_switch: "10.104.6.7", 5452
since the ip address changed to a different network, this may be firewall issue. There are no other switches that the server is not able to connect to only this switch.
tmsncc keyword search "ncc_connect_to_switch"
1. pcap filter used
udp.port eq 5440 and ip.addr==10.104.6.7
results= hq server does communicate to swtich and switch responds udp port 5440 ( location service ) port
2. pcap filter used
tcp.port eq 5452 and ip.addr==10.104.6.7
results=you will see the hq server communicate with the switch but then you will see the switch send a RST ( connection reset ) back to the hq server.
3. pcap filter used to confirm udp port 5452 comm between hq and switch
tcp.analysis.retransmissio
results= hq tries to communicate with switch on udp port 5452 , switch does not respond. hence lost communications with the switch via director.
4. pcap filter used to confirm connection reset
tcp.flags.reset==1
results= switch sends a connection reset to hq server. there are other connection resets shown with this filter to other ips but do not look like they belong to pbx system
One Side# Cisco 4431 and another side Sonic wall
ASKER
Thanks hemil,
I can ping the server / switch from both the sides. when i tried port query from server to switch it shows 5452 TCP filtered intermittently. All ports are open in Cisco 4431 and sonicwall.
Is there i need check anything on MTU of sonicwall ? what should be the MTU on interface, i believe its 1500 in sonicwall. any other things i can guess. Cisco guy exempted the server ip from being NATe'd over ipsec tunnel, suggested to do the same in sonicwall.
Do we need to exempt the server and shoretel switch from being nated in tunnel ?
I can ping the server / switch from both the sides. when i tried port query from server to switch it shows 5452 TCP filtered intermittently. All ports are open in Cisco 4431 and sonicwall.
Is there i need check anything on MTU of sonicwall ? what should be the MTU on interface, i believe its 1500 in sonicwall. any other things i can guess. Cisco guy exempted the server ip from being NATe'd over ipsec tunnel, suggested to do the same in sonicwall.
Do we need to exempt the server and shoretel switch from being nated in tunnel ?
Hi Raki,
If you havent touch MTU then nevermind leave it a 1500, some people tends to change the value and it's not a good idea doing so.
Also, keep in mind that when you are doing private communication, the server IP or subnet has to be exempted from Natting, because you dont want to translate your remote IP otherwise communication wont be possible.
You need to do the same on Sonic-wall as well. I am not too familiar with sonic wall but yes you need to exempt the subnet or certain IP from certain server you want to create communication from.
If you havent touch MTU then nevermind leave it a 1500, some people tends to change the value and it's not a good idea doing so.
Also, keep in mind that when you are doing private communication, the server IP or subnet has to be exempted from Natting, because you dont want to translate your remote IP otherwise communication wont be possible.
You need to do the same on Sonic-wall as well. I am not too familiar with sonic wall but yes you need to exempt the subnet or certain IP from certain server you want to create communication from.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Also, you stated "guys says there is a network issue Port 5452 seems Filtered intermittently" is that a port opened in your firewall?
I dont think Ipsec would affect on those devices, new devices should be capable to handle encrypted connections.
Also, I can notice the timeout. If you say you can ping an access the branch but the switch failed, it may be cuz firewal in my perspective or bad addressing.
Is not the ISP since you have access. Have you change MTU? that may cause flattering between peers.