cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor III

Re: Simple remote user won't register with 7100

Mark,

I'll try to get to get a capture as soon as I can.  The VPN to the remote site is wide open and I had this 712 and a Polycom 650 connected with generic extension at one point, but when I tried to assign a user to the phone, the phone refusing to register.

Highlighted
Valued Contributor II
Valued Contributor II

Re: Simple remote user won't register with 7100

Well something is blocking the return of the 401 Unauthorized to the 712 phone. Just need to figure out where.

What device is the VPN gateway at the remote site? You can do a packet capture in AOS now if your running newer code.

Are you running GRE through the VPN tunnel?

-Mark

Highlighted
New Contributor III

Re: Simple remote user won't register with 7100

Mark,

Not running GRE.  The Fortigate Firewall at the remote end has a wide open tunnel and I turned off any SIP helpers.  Here is a packet capture from the inside interface of the firewall.

Highlighted
Valued Contributor II
Valued Contributor II

Re: Simple remote user won't register with 7100

Ok after looking over your debug and getting some good insight from Jay in support, it looks like your Fortigate is not changing the port on the return 401.

Here is the run down from your pcapture and the buffalo_SIP_Stack.txt file. Different calls but the ports are what we are looking at:

Wireshark Packet 1:

Register from phone before the Fortigate.

Source IP is 192.168.129.57 (phone) on UDP port 5060 (phone is listening for port 5060)

Dest IP is 192.168.108.2 (7100) on udp port 5060

From 7100 Debug:

7100 RX register request

Source IP: 192.168.129:57 Your Fortigate changes the port to 10254 in that call

Destination IP: 192.168.108.2 port 5060

From 7100 Debug:

7100 TX 401 Unath back to phone

Source IP: 192.168.108.2 port 5060

Destination IP: 192.168.129.57 port 10254 (We transmit the same port we received)

Wireshark Packet 2:

401 Unath from 7100 after the Fortigate

Source IP: 192.168.108.2 port 5060

Destination IP: 192.168.129.57 port 10004 (this is actual port from this call) But the problem is that Fortigate is not changing the port back after it is NATing it.

The phone is listening on port 5060, but the return 401 Unauthorized is coming back on the 10000 port range so the phone is not listening for that port and just keep registering. You need to look into the Fortigate and see if you can turn of NAT of SIP packets or have it properly change the port back to 5060 on the return path.

Let us know if you have any other questions.

-Mark

Highlighted
New Contributor III

Re: Simple remote user won't register with 7100

Mark,

I will have to look into the firewalls at both ends (Check Point & Fortigate), but NAT is turned off at both ends.  I will let you know what I find (if anything)

Highlighted
Valued Contributor II
Valued Contributor II

Re: Simple remote user won't register with 7100

You said in previous post that you have turned off SIP helpers. Have you tested it with the SIP helpers on?

-Mark

Highlighted
New Contributor III

Re: Simple remote user won't register with 7100

Mark,

Actually, when I went back into the remote firewall, the SIP helper had been turned back on, so I went through the process to turn it back off, but still no luck.  What I have to do at this point is setup some simultaneous captures from both ends and try to determine which firewall is changing the packet.  The frustrating part is that I had the phones setup and working with generic accounts, but when I tried to change them to specific users, that is when they broke.

Highlighted
Valued Contributor II
Valued Contributor II

Re: Simple remote user won't register with 7100

What do you mean generic accounts vs specific accounts?

-Mark

Highlighted
New Contributor III

Re: Simple remote user won't register with 7100

Mark,

By generic accounts, I mean that I had 2 user accounts with no voice mail, or call control...ie Buffalo Phone 1 & 2.  Not sure how I had them working.  Spent 4 hours on Friday doing packet captures at both ends of the tunnel and then opening tickets with both firewall vendors.  Right now both vendors are claiming that they are not modifying the packet, but according to the packet captures, somebody is.  Now have to get one of them to figure out who is doing it and fix it.

Highlighted
Valued Contributor II
Valued Contributor II

Re: Simple remote user won't register with 7100

Thanks for the update. Not sure how they can argue against a packet capture. Can’t get more raw info than that.

Solution 3: put ADTRAN router/firewall/VPN at edge 😃

-Mark