Solved Elastix: phones lose registration
-
Something that has been bothering me a bit is MAC addresses.
While it is not a 'end all' tool, I used AngryIP to scan the vLAN .100 - .189 to find all the active IPs. I added MAC access resolution to the scan and when it was done, all 25 IPs had the same MAC address.
I've logged into half of the phones and the phone GUI shows that they are different per phone.
Doing an ARP -a give this:
Interface: xxx.xx.5.111 --- 0xc Internet Address Physical Address Type xxx.xx.xx.100 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.101 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.102 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.103 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.104 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.105 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.106 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.107 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.108 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.109 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.110 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.111 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.112 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.113 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.114 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.115 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.116 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.117 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.118 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.119 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.120 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.121 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.122 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.123 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.124 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.125 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.126 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.127 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.128 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.129 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.130 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.131 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.132 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.133 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.134 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.135 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.136 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.137 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.138 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.139 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.140 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.141 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.142 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.143 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.144 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.145 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.146 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.147 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.148 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.149 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.150 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.151 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.152 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.153 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.154 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.155 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.156 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.157 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.158 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.159 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.160 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.161 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.162 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.163 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.164 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.165 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.166 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.167 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.168 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.169 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.170 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.171 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.172 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.173 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.174 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.175 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.176 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.177 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.178 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.179 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.180 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.181 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.182 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.183 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.184 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.185 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.186 00-01-e8-d7-ab-5f dynamic xxx.xx.xx.187 00-01-e8-d7-ab-5f dynamic
-
Is there NAT involved in their VPN?
Either that or some other routing problem.
I bet that MAC is the router.
If so randomize the SIP port on all the phones. Your problem will go away.
-
@g.jacobse said:
00-01-e8-d7-ab-5f
A lookup shows that as Force10 Networks.?
http://www.coffer.com/mac_find/?string=00-01-e8-d7-ab-5f -
@JaredBusch said:
@g.jacobse said:
00-01-e8-d7-ab-5f
A lookup shows that as Force10 Networks.?
http://www.coffer.com/mac_find/?string=00-01-e8-d7-ab-5fConfirmed. Switch as the other end of the VPN.
-
@g.jacobse said:
Confirmed. Switch as the other end of the VPN.
Change the phones to use some port other than 5060 for the SIP registration.
Make sure they are all different as you cannot reuse the same port behind a NAT and this issue is looking to me like that. -
Well, that or make who ever runs the network figure out what is happening on their side.
-
@JaredBusch said:
@g.jacobse said:
Confirmed. Switch as the other end of the VPN.
Change the phones to use some port other than 5060 for the SIP registration.
Make sure they are all different as you cannot reuse the same port behind a NAT and this issue is looking to me like that.Would the usage of a STUN server solve this issue?
-
@JaredBusch said:
Well, that or make who ever runs the network figure out what is happening on their side.
That is proving difficult.
-
-
@coliver said:
@JaredBusch said:
@g.jacobse said:
Confirmed. Switch as the other end of the VPN.
Change the phones to use some port other than 5060 for the SIP registration.
Make sure they are all different as you cannot reuse the same port behind a NAT and this issue is looking to me like that.Would the usage of a STUN server solve this issue?
Yes, but you would have to set one up internally as they obviously have everything inside the VPN.
-
@scottalanmiller said:
@coliver said:
Would the usage of a STUN server solve this issue?
Should not be any NAT.
Should not be any NAT, but it sure is acting like it if everything is reporting the same MAC.
-
Yeah, that is very fishy.
-
Statement I was given regarding the MACs
...as an aside, this has nothing to do with the, or any, firewall. This is normal layer2/layer3 handoff in any network...
-
To give background here, the Fortigate has a Juniper L3 switch connected to it. Supposedly the config on that guy has not changed, but I don't think we really know.
-
@JaredBusch said:
@scottalanmiller said:
@coliver said:
Would the usage of a STUN server solve this issue?
Should not be any NAT.
Should not be any NAT, but it sure is acting like it if everything is reporting the same MAC.
Is that right? Wouldn't you always loose the originating MAC if you go through a router of any kind? i.e. a VPN?
-
@Dashrender said:
Is that right? Wouldn't you always loose the originating MAC if you go through a router of any kind? i.e. a VPN?
It depends on the VPN. It can easily bridge at either Level 2 or Level 3. One will let everything pass through, the other would show the MAC form the bridge. Either way, as long as there is no NAT, it should not interfere. That is true.
Just the description of the problem fits more to a NAT scenario.
-
Speaking with a 3rd party network tech who is one site. We have three phones aren't connecting - turns out that one of the POE ports was bad...
One is bad,.. more is likely. replace the switch!
-
Looks like more than one port is bad as far as POE goes.
got down to it being either the phone itself or the port, but ports were 'testing' okay. Defaulted the three phones that were missing and they now have IP addresses where we can get to them and program them.
Sad news is that during all this,.. they broke the VPN and we can't get in.
Interestingly on that note, they have a Fortigate 60D at that site. they can't update the firmware to do the testing they need. Hmm.. Firmware update failed... make you wonder.
Glad to see we didn't lose three phones though. Losing a port on the Juniper is bad enough (just the POE side it seems)... but still.
-
Wow, on a high end Juniper switch? That's more bad ports on a single Juniper than I've seen first hand on decades of use of Netgear!