Auto Provision phone

Hi Everyone, I’m currently have an issue on a new PBX Migration so this current setup is not in production yet. The FreePBX instance I am running is current being hosted, has a public IP and behind a Managed firewall. From computers placed in to the voice VLAN they will receive an IP from the correct DHCP scope, have internet access, able to talk to FreePBX on port 83 and is able to download the config file. For DHCP I am using Microsoft DHCP server on windows 2012 and have DHCP option 66 configured to the pubic IP address of (not local loop back, not an unroutable internal address, or similar) the FreePBX server. When I connect a phone, DHCP seems to work as it gets an IP address from the correct scope, but It doesn’t seem to attempt to connect to the FreePBX server. The results seem to be the same with different DHCP servers, a test windows 2012 DHCP server and SonicWALL Firewall DHCP server. I have verified that no traffic is seen on the FreePBX server with a TCP Dump, Managed firewall providers do not see the phone traffic hitting the firewall, and my outgoing SonicWALL firewall doesn’t have any logs of it either. Currently I’m stuck on next troubleshooting steps, I would think it is a DHCP config issue but there doesn’t seem to be much in the way verify. Any suggestions would be helpful.

DHCP Server: Windows 2012
FreePBX: 13.0.190.11 Ran Updates this morning
Switches: Dell N2000
Firewall: SonicWALL NSA
Phone: Grandstream 2140
Data VLAN: 20
interface vlan 20
ip address X.Y.20.1 255.255.255.0
ip helper-address X.Y.78.201
ip helper-address X.Y.79.201
exit
Voice VLAN: 30
interface vlan 30
ip address X.Y.30.1 255.255.255.0
ip helper-address X.Y.78.201
ip helper-address X.Y.79.201
exit
Switch Port
interface Gi3/0/28
spanning-tree portfast
switchport mode general
switchport general pvid 20
switchport general allowed vlan add 20
switchport general allowed vlan add 30 tagged
lldp transmit-tlv port-desc sys-name sys-desc sys-cap
lldp transmit-mgmt
lldp notification
lldp med confignotification
voice vlan 30
exit

To be clear the phone gets an I address in the 30.1 range?

Can you ping the phone from the Sonicwall?

Do you have a policy for VLAN 30 to egress the local network and be NAT’d? If you turn on monitoring on that interface do you see traffic hitting it?

Correct X.Y is the Network ID and has been redacted. The PC in the Voice VLAN had X.Y.30.61 and the phone had X.Y.30.62. When confirming the results on using a different DHCP server it received X.Y.30.120

X.Y.30.120 pings successfully from the SonicWALL and Both DHCP servers. I didn’t make this clear earlier. the DHCP servers are not in the same VLAN’s as voice and data. so the IP helpers should be X.Z.78.201 and X.Z.79.201

The last question I think you are asking “do I have the phones external traffic being Nat’d from internal IP’s to a routable Public IP” Yes, part of this rule was required for sticky NAT and UDP time out issues with standard SonicWALL issues. Though I cannot verify this from the phone I did verify that was working properly from the PC

Have you set the phones up in the EPM? What type of phones are they?

Phone is Grandstream 2140
Phone is setup in endpoint manager, it is currently registered to the FreePBX instance (manually configured)
Extension mapping below
3999 Phone, Test Grandstream Phones Public IP grandsteam2140
Account1 000B82:xx:xx:xx 45 ms GXP-2140

I am able to download http://publicIPAddress:83/cfg00b82xxxxxx from a PC in the Voice VLAN.

Destination address: External FDQN of PBX server
Provision server protocol HTTP
Provision server address http://FDQN:83

I think I have resolved my issue. 1st problem, looks like MS DHCP was not providing option 66. No clue why, but wireshark traces did not show any custom options. I moved it back to the SonicWALL and changed the public IP address to http://PublicIP:83. Next test will be to move to https with Authentication. Thanks for your assistance.

I have everything working now but I believe that there is a bug cause the work around seems a little bit strange. I’m happy to put in the bug report but wanted to confirm that it isn’t actual behavior. I am using Grandstream GXP-2140 phone, endpoint manager, Hosted CyberLynk FreePBX. I want to be able to setup auto provision and auto firmware upgrade via Authenticated HTTPs (I feel this is a requirement due to SIP secrets potentially being exposed, but this could be incorrect). Anyways there is no option for provision server for Grandstream Phones for https. So I go the custom portion and enter in the following string in the following format https://user:[email protected]:port. When I factor reset the phone it picks up the string from DHCP of https://user:[email protected]:port gets initial config and looks good. If I make a change, for example with that same phone, and change the extension mapping to use line 2 instead of line 1 and reboot the phone it will not get the change. Also it will not be able to get the firmware off the server. When reviewing the phone settings in provision I see the string in the following format https://user:[email protected]:port:83 where 83 is the http provisioning port. I’ve worked around it by changing the base file P192 = https://user:[email protected]:port/grandstream/1 and P237 = https://user:[email protected]:port. While this could be normal behavior I don’t understand why it would appended :83 when the custom string specifically states to put in the port number.

Can anyone confirm if this is indeed a bug?