External phone does not fetch config

I’m experimenting with new Sangoma s500 phones we purchased. One is on the same network as my PBX, the other is on a different network. I have created two templates, an internal template and an external template.

My internal template works great, I can make changes, update it and the phones grab the config.

My external template is not getting pushed to the phone that is on a different network as the PBX. It seems the phone can’t grab the config. I am able to reboot the phone from my PBX in Extension mapping but the config will not send to the phone.

Here are my template settings.

Am I missing a setting? Or do I need to open ports on the external network?

Thanks,
Brad

You have to open ports but i would only allow traffic from the remote end( where the phone is) or setup vpn on the phone

You need to open the HTTP port that you have setup for phone provisioning as shown on global settings tab of EPM.

Thanks for the reply.

My issue is that I can’t change port settings on the network where the remote phone is. Can I set the phone up on the same network as my PBX, configure VPN, then plug the phone in on the remote network and it will all work? If so, would I assign to internal template that I’ve created to that remote phone? Or does it still need the external template assigned?

At this time phone configs can not be retrieved over the VPN. We are working on it for a future firmware update but the sequence right now is the VPN is started after the config is retrieved as the config is what tells the phone about the VPN so at this time that would not work

Ok. So I set the phone up on the same network as the PBX and using the internal template. Once it was up and running I went into EPM>Extension Mapping and changed the template to external and assigned the VPN client for the phone. I rebuilt configs. I then plugged the phone into the other network (that the PBX is not on) and it is showing unreachable. It also still shows the local IP for the phone.

Am I missing something? I thought that order of steps would have sent the VPN settings to the phone and set it to use VPN.

The phone will still show the local IP in the phone. It would also show the VPN IP if the VPN is setup and working. Sounds like the phone can not connect to the VPN. Remember for the VPN to work you need to open up the VPN port on your firewall to the PBX so the VPN client on the phone can reach the PBX VPN server.

I have port 1194 UDP/TCP open on the firewall. per the VPN setup instructions. Does a port need to be open on the network the phone is plugged in to?

No you do not need any ports opened on the firewall where the phone is.

Dis you reboot the phone while it was local to make sure it gets the config and VPN certs.

Also as states even across VPN the port for configurations still needs to be open for the phone. VPN is only used for voice and phone apps traffic.

Ok, I got the phone to grab the VPN config. The phone shows “VPN Activated” on the screen. But, when I connect the phone to an outside network it still shows unreachable. I have the phone assigned to the external template with the VPN activated.

I have port 84 open for HTTP provisioning, port 69 open for TFTP, and port 21 open for FTP.

OK well if you are only using HTTP then you do not need to open TFTP or FTP.

If the phone on external network shows the VPN unreachable when outside your network then you do not have the openVPN port opened or you setup your VPN server with the internal IP address not the external IP address in the VPN server. In the VPN server you tell it the IP of the Server and that is how the VPN client knows to reach the PBX.

In my System Admin>VPN Server>settings I have “server remote address” set as my external IP. Is that correct?

I have port 1194 open both UDP and TCP.

That would be correct but something is keeping it from connecting. Look at the syslog in the phone GUI for hints what is going on.

I’ve looked through the log, while I’m not an expert by any means, I can’t figure out where it is having trouble.

Log can be accessed here:
https://drive.google.com/file/d/0Bz5xVxVe_uf1X1ltLWIxMkpFU2M/view?usp=sharing

Thanks for all the help!

I am sorry not sure but I would start with can you connect to the VPn server at the same location the phone is using a computer and openvpn client with the same certs. Certs can be downloaded from UCP if you enable it for the user.

I was able to connect to the VPN using a computer with OpenVPN. Logs from the connection are below. I noticed it was trying to connect using my deployment address that the DDNS uses. If it matters, I do not have DDNS enabled. The network has a static IP.

Mon Oct 10 15:30:38 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 3 2016
Mon Oct 10 15:30:38 2016 Windows version 6.1 (Windows 7) 64bit
Mon Oct 10 15:30:38 2016 library versions: OpenSSL 1.0.1u 22 Sep 2016, LZO 2.09
Enter Management Password:
Mon Oct 10 15:30:38 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Oct 10 15:30:38 2016 Need hold release from management interface, waiting…
Mon Oct 10 15:30:39 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Oct 10 15:30:39 2016 MANAGEMENT: CMD 'state on’
Mon Oct 10 15:30:39 2016 MANAGEMENT: CMD 'log all on’
Mon Oct 10 15:30:39 2016 MANAGEMENT: CMD 'hold off’
Mon Oct 10 15:30:39 2016 MANAGEMENT: CMD 'hold release’
Mon Oct 10 15:30:39 2016 MANAGEMENT: CMD 'proxy NONE '
Mon Oct 10 15:30:40 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 10 15:30:40 2016 MANAGEMENT: >STATE:1476131440,RESOLVE,
Mon Oct 10 15:30:40 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:30:40 2016 MANAGEMENT: >STATE:1476131440,RESOLVE,
Mon Oct 10 15:30:40 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:30:45 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:30:50 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:30:55 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:00 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:05 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:10 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:15 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:20 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:25 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:30 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:35 2016 RESOLVE: Cannot resolve host address: xxxxxxxx.deployments.pbxact.com: The requested name is valid, but no data of the requested type was found.
Mon Oct 10 15:31:35 2016 SIGUSR1[soft,init_instance] received, process restarting
Mon Oct 10 15:31:35 2016 MANAGEMENT: >STATE:1476131495,RECONNECTING,init_instance,
Mon Oct 10 15:31:35 2016 Restart pause, 2 second(s)
Mon Oct 10 15:31:37 2016 MANAGEMENT: CMD 'proxy NONE '
Mon Oct 10 15:31:38 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 10 15:31:38 2016 UDPv4 link local: [undef]
Mon Oct 10 15:31:38 2016 UDPv4 link remote: [AF_INET]xx.xxx.xx.xxx:1194
Mon Oct 10 15:31:38 2016 MANAGEMENT: >STATE:1476131498,WAIT,
Mon Oct 10 15:31:38 2016 MANAGEMENT: >STATE:1476131498,AUTH,
Mon Oct 10 15:31:38 2016 TLS: Initial packet from [AF_INET]xx.xxx.xx.xxx:1194, sid=379253a1 a98ba339
Mon Oct 10 15:31:39 2016 VERIFY OK: depth=1, CN=FreePBX
Mon Oct 10 15:31:39 2016 Validating certificate key usage
Mon Oct 10 15:31:39 2016 ++ Certificate has key usage 00a0, expects 00a0
Mon Oct 10 15:31:39 2016 VERIFY KU OK
Mon Oct 10 15:31:39 2016 Validating certificate extended key usage
Mon Oct 10 15:31:39 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Oct 10 15:31:39 2016 VERIFY EKU OK
Mon Oct 10 15:31:39 2016 VERIFY OK: depth=0, CN=server1
Mon Oct 10 15:31:39 2016 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Mon Oct 10 15:31:39 2016 WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Mon Oct 10 15:31:39 2016 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Mon Oct 10 15:31:39 2016 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Mon Oct 10 15:31:39 2016 WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Mon Oct 10 15:31:39 2016 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Mon Oct 10 15:31:39 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 10 15:31:39 2016 [server1] Peer Connection Initiated with [AF_INET]xx.xxx.xx.xxx:1194
Mon Oct 10 15:31:40 2016 MANAGEMENT: >STATE:1476131500,GET_CONFIG,
Mon Oct 10 15:31:41 2016 SENT CONTROL [server1]: ‘PUSH_REQUEST’ (status=1)
Mon Oct 10 15:31:41 2016 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0’
Mon Oct 10 15:31:41 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 10 15:31:41 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 10 15:31:41 2016 OPTIONS IMPORT: route-related options modified
Mon Oct 10 15:31:41 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Oct 10 15:31:41 2016 MANAGEMENT: >STATE:1476131501,ASSIGN_IP,10.8.0.2,
Mon Oct 10 15:31:41 2016 open_tun, tt->ipv6=0
Mon Oct 10 15:31:41 2016 TAP-WIN32 device [Local Area Connection 3] opened: \.\Global{A76A0A22-8D60-4017-9874-0998407A8019}.tap
Mon Oct 10 15:31:41 2016 TAP-Windows Driver Version 9.21
Mon Oct 10 15:31:41 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Mon Oct 10 15:31:41 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {A76A0A22-8D60-4017-9874-0998407A8019} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Mon Oct 10 15:31:41 2016 Successful ARP Flush on interface [31] {A76A0A22-8D60-4017-9874-0998407A8019}
Mon Oct 10 15:31:47 2016 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Mon Oct 10 15:31:47 2016 Initialization Sequence Completed
Mon Oct 10 15:31:47 2016 MANAGEMENT: >STATE:1476131507,CONNECTED,SUCCESS,10.8.0.2,xx.xxx.xx.xxx

It works! Apparently I had to have the DDNS service enabled. Once I did that it connected. Thanks for the help and walking me through it. Your idea to use OpenVPN to diagnose is what got me there.

Thanks Again!

You don’t have to use DDNS. It’s whatever you setup in the VPN server. In the VPN server you can setup DDNS or a IP address.