I have polycom IP 450s and IP 331s connected to my ECS platform via VPN tunnel. The phones lose connection at least once a day and have to be reset in order to comeback online. My Tunnel appears stable with no drops. I have disabled SIP ALG on the remote side. The remote side is a a Cisco RVS4000. The local side is an Adtran 5305. Both sides have a 10mbs connection. My ping rate never exceeds 10ms.
Any ideas would be greatly appreciated.
tracyhammer,
Based on the symptoms you described it sounds like the VPN tunnel may in fact be down when the phones would normally attempt to re-register automatically to the ECS. Rebooting a phone triggers a lot of things to happen (TFTP, FTP, NTP, etc) and should trigger the needed traffic bring the tunnel back up. I am not sure if the other devices that use the tunnel are on the same subnet as the phones at the remote site or as the ECS for the local site, but that could be one of several reasons for the discrepancy that other VPN applications work besides the phones.
To start, I would suggest implementing a ping probe on the 5305 that sends a ping from the IP of the Ethernet interface the ECS subnet is located on and destined to the IP of the remote Ethernet interface where the phone subnet is located. This would keep the tunnel up indefinitely instead of it being disconnected automatically when encrypted traffic is absent for a long enough time. A sample configuration is shown below. Give that a try and let me know if that does not do the trick.
!
probe VPN-KeepAlive icmp-echo
destination <Peer Router's LAN IP Address that phones are in>
source-address <Local Router's LAN IP Address that ECS is in>
period 60
no shutdown
!
Thanks,
Matt
tracyhammer,
Based on the symptoms you described it sounds like the VPN tunnel may in fact be down when the phones would normally attempt to re-register automatically to the ECS. Rebooting a phone triggers a lot of things to happen (TFTP, FTP, NTP, etc) and should trigger the needed traffic bring the tunnel back up. I am not sure if the other devices that use the tunnel are on the same subnet as the phones at the remote site or as the ECS for the local site, but that could be one of several reasons for the discrepancy that other VPN applications work besides the phones.
To start, I would suggest implementing a ping probe on the 5305 that sends a ping from the IP of the Ethernet interface the ECS subnet is located on and destined to the IP of the remote Ethernet interface where the phone subnet is located. This would keep the tunnel up indefinitely instead of it being disconnected automatically when encrypted traffic is absent for a long enough time. A sample configuration is shown below. Give that a try and let me know if that does not do the trick.
!
probe VPN-KeepAlive icmp-echo
destination <Peer Router's LAN IP Address that phones are in>
source-address <Local Router's LAN IP Address that ECS is in>
period 60
no shutdown
!
Thanks,
Matt
Matt... thanks for the input... I think however my problem may be deeper than the VPN. The tunnel seems stable and I have enabled the probe. Still yet I have random phones that will simply stop communicating and they have to be reset. Is there a "Best Practices" or sometype of Adtran config sheet for the Polycom phones? Something that details the registration information?
Thanks for your help.
Tracy,
The phones should keep attempting to register to the ECS. If they do not get a response when attempting they will wait for a timeout, try again, and repeat. When a phone is rebooted and does successfully register, the ECS will send back a 200 OK response to the registration, which will contain an Expires field. The phone will attempt to register at half that time. For example, if a 200 OK response to a registration contained an Expires of 600 seconds, the phone will try register again at 300 seconds.
I would suggest checking the CALLROUTER logs on the UC server to verify if you see a SIP REGISTER message come in from the problem phones at the appropriate time. Those logs are by default kept in this folder:
C:\Program Files (x86)\ADTRAN\NetVanta UC Server\SIPPBX\logs\CALLROUTER
It would likely be easiest to wait until the phones are down again and then go pull the two most current files out of that log (maybe more depending on traffic) including the one that should be increasing in size currently. If you don’t see REGISTER messages in those logs from the problem phones than something in the network is preventing them from hitting the ECS.
If you reboot one phone does that fix the others that are down or do all remote phones have to be power cycled one at a time to resolve this?
Thanks,
Matt
Matt…. Your help is greatly appreciated. I have bought myself some time by moving the sites old 3Com phones back into play temporarily. This will allow me to more completely trouble shoot.
I did implement the probe that you suggested. I notice that within the last 24hrs I have (2) fails. So indeed the VPN appears to briefly stop working and the phones go offline at which time I have to reboot all offline phones… not all tend to go offline… about half of the 21 devices at this site. They may possibly be on separate switches.
I would assume all phones would go offline considering that they all have the same program parameters.
Below are my next steps in the trouble shooting process:
· Isolate a 24 port POE to the network and plug in all Polycom phones side by side.
· Install a new Netvanta 3430 Router for the site.
· Reboot all phones to default (I have moved around much of the phone programming trying to correct the re-connect issue)
· Continue with a Probe
What should I do with SIP-ALG? It is enabled on my 5305. Should I enable this on my 3430? How about multicast? Could this be an issue. Are there any particular IP or UDP ports I should have open?
Let me know if you have any suggestions.
Thanks,
Tracy,
I would assume over a long enough period of time all the phones would get in this state, but if only a particular group have this problem it would be helpful to know what is different about them vs the others that don’t get in this state. If the phone configurations have been altered a lot on the ECS it may be worth deleting the phones and starting fresh, especially if it is a relatively small number of phones to reconfigure. In general we don’t recommend tweaking the parameters inside the phone configuration files once they are built as that may cause unpredictable results.
You should not have to worry about the SIP ALG if your VPN selectors are set to be stateless. This bypasses all ALGs including the SIP ALG and is our recommendation for VPN between two sites. The VPN selectors should reference an ACL that matches all IP traffic between the subnets instead of only specific ports or protocols.
Thanks,
Matt
Tracy,
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful answers as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this. Just let me know in reply.
Thanks,
Matt
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Matt