Rebooting VVX Remotely

I would like to be able to reboot any of our Polycom VVX410 phones from the command line on our PBX to resolve a variety of quirky errors I’ve noticed with the phones, especially after I make configuration changes. From what I’ve found, there are two ways to do this - with the REST API or via a call to curl.

First option

Curl would be the simplest method IMO as I don’t need to rely on the REST API to be enabled on the phones. However, I’ve been unable to get this to work. I’ve tried different combinations of parameters, headers, cookie settings, etc and always get 401 Unauthorized as a response. I know the base64 encoded password works as I can log in with https:///form-submit/auth.htm and it returns hypertext. There is a session cookie being set & sent along to the call to Reboot - this cookie is set when I use the -c option in curl. Weirdly, if I use -c in the subsequent call to Reboot, I get 401 Unauthorized, but if I use -b (cookie file in read only mode), I get 403 Forbidden. I am able to reboot a phone after logging into it’s GUI and then copying the parameters from the browser over to a curl call to Reboot. There is an ‘anti-csrf-token’ parameter in the browser which is not set as a cookie - research shows that this is meant to prevent cross-site scripting. My hunch is that this is what’s preventing the reboot from working, but all I get back from the call to auth.htm is a ‘lockparams|SUCCESS|0’ message. Does anyone happen to know how to reboot a VVX410 running firmware 5.9.8.5760 from a command line?
.

Second Option

The other option is to use the REST API in the phone. This is very simple to make work from the command line, but would require me to log in to each and every phone to enable REST in the phone’s GUI, plus remember to manually do this for every new / replacement phone. Looking online, I’ve found various ways of enabling this from the provisioning server:

Unfortunately, I have been unable to get the basefile editor to add a section to any of the config files for the test template I created. The directions at the top of the basefile editor are:

Every basefile entry requires the following.
A “File”.
Needs to be the name of the file the setting will be in. ie:mac-legacy, features, etc. If you do not know what the file name is, click on an existing setting.
A “Section”.
For instance:
To add an entry to the Port_Config section, “Section” needs to be set to Port_Config (case sensitive).
To create a new section, “Section” needs to be the section it will be within (use “TOP” if it should not be in a section), PARAMETER is the new sections name, and VALUE would be “PARENT” to define it as a new section.
A “Parameter”.
This is the setting name.
A “Value”.
This is the actual setting.

I’ve followed the directions at the top in every way I can think of interpreting them, trying to add a new section, add a new parameter to an existing section, and I even tried swearing at it, but nothing I’ve done has resulted in being able to add any of the parameters I’ve found online to the basefile. About all I’m left with as far as to possibly make it work is to find where the config files are kept in the file system & manually edit them, which I’m warned not to do because the changes will be overwritten whenever the basefile editor regenerates them. While I would prefer to simply use curl instead of opening the REST API on the phones, at this point I’m willing to settle for just making it work and moving on with my life. So barring a solution to the question in the first option, how would I go about enabling the REST API on the phones in bulk from the server when they’re provisioned?

I discovered that there is a meta name=“csrf-token” line in the hypertext headers if you authenticate with auth.htm and then grab index.htm from the phone using that session cookie. Unfortunately, when I strip out just the token & pass it as a header with the anti-csrf-token header (as happens when I reboot the phone in my browser) using the same cookie file, I once again get 403 Forbidden.

edit - I was using single quotes instead of double in the bash script, so it was sending the variable name as the CSRF token. Corrected that and now it doesn’t complain about 403 forbidden. Unfortunately, it doesn’t do anything else either - doesn’t complain, doesn’t return anything, doesn’t reject, doesn’t reboot the phone… nothing.

Assuming you have the appropriate notification entry in your sip config files, why not just call asterisk -x 'pjsip send notify polycom-check-cfg endpoint 1234'

What you might consider doing is identifying the switchport on your switch the polycom is plugged into, then power-cycling the port. (assuming the phone is POE)

You can find the phone’s IP from the pbx

You can find the phones’s mac from the switch’s arp table

On a typical Cisco Catalyst at the command line,

show ip arp | include 192.168.1.5
show mac | include df3e (assume df3e is the last 4 digits of the phone’s mac)
interface XXXX (gotten from the above command)
power inline never
power inline auto

I found that & used it, though had issues with the BLF button labels not updating correctly when changes were made to templates. (Last time, I changed a BLF to “Ella” and the phone read “Ellala”. ) No idea why and there is no pattern I’ve been able to determine. Rebooting the phones fixes it, which is why I was looking for a way to trigger a full reboot from the PBX command line.

Excellent idea, though has few problems:

1. Logging into up to 8 switches to identify every port that has an IP phone connected would be extremely labor intensive, more-so than walking around and rebooting the phones manually.

2. Removing power from a phone would disconnect the PC, where rebooting doesn’t seem to drop the connected PC.

3. Possibly due to the level of access given us by the company that manages our switches, cutting power like this doesn’t work. I’ve tried it and have called them to do it - neither one rebooted the phone I was watching.

After digging into the javascript routines built into the phone, I figured out how to get this to work with the first option above - using curl from a command line without requiring REST to be enabled. (Never did figure out how to add an option to the basefile in the PBX…) It’s far from intuitive.

The csrf-token that is in the header of the index is why I was confused & a big part of the key to making this work - it needs to be passed along with the session id that’s set via a cookie. Weirdly, you not only need to pass it as a header in your https request, but also as a parameter in the address. Once this was done, the phone rebooted as you would expect & how I presume worked in older VVX firmwares. The Origin header must be set to ‘https://phoneip’ on all requests.

Detailed Procedure:

1. Request /form-submit/auth.htm with the login credentials (‘Polycom:phonepwd’) in the header encoded in base64 with a POST. (If using perl, chomp() the returned value or it doesn’t work due to an end-of-line at the end of the encoded data.) Save the session cookie returned. The Referer header must be set to ‘https://phoneip/login.htm’ or this fails.
2. Load /index.htm & scape the csrf token from the header metadata. This only works as GET & the Referer needs to be the same as step 1.
3. Request /form-submit/Reboot and pass the token from the index file in as a parameter named anti-csrf-token. You also need to set Anti-Csrf-Token as a header with the token in there as well. This must be done as a POST & Referer must be ‘Referer: https://phoneip/index.htm’.

Obviously, I wrote a script that does all this for me as the whole point of this is to make my job easier. Made it to allow me to reboot by IP / extension / ‘all’, checks to verify the phone is registered with asterisk, makes sure it’s a Polycom VVX phone, confirms that the IP subnet matches what’s configured in the script options, and rate limits the reboots. I wanted to share the solution to rebooting Polycom phones under the 5.9.8.5760 firmware as nothing I found online worked in this (latest as of now) version. Hope this helps someone finding this thread in the future.

I’m not understanding your reply to me. I gave you a command to run from the shell that will reboot the phone. But enjoy curl I guess?

#3 is the #1 reason the IT department I run does NOT outsource administration of our ethernet switches. I outsource management of the PBX we use - although I have one of our staff work very closely with the outsourcer even though that staffer is not at the higher level the outsourcer is - but the PBX can be sort of encapsulated. We even outsource our EHR - but as the saying goes, they will have to pry management of our core network infrastructure out of my cold, dead, fingers. That’s switches, wifi AP’s, routers, WAN…everything. That is core to what an IT department does IMHO. An IT department’s job is NOT to run around training users how to use applications, if you want that then hire a training company or send the users to the local community college.

#2 is the #1 reason on our newer sites I’ve always insisted on separate network drops for the phones. I absolutely DO get it - our older sites have dual Ethernet/digital phone cabling infrastructure, so we are forced to plug the PC’s into the PC port of the phone - and, also, they have mini-hubs galore - but I put a stop to that crap years ago. Nowadays with our new sites EVERY switch -even the 8 port ones - are fully manageable. Used 8 port Catalysts are fairly cheap on Ebay and you DON’T need to trunk them into your core switch either just disable spanning tree on them. But I do get that it’s hard, because years ago people that designed ethernet cabling plants had their heads up their asses on this issue.

Just some things for your CIO to think about. Or IT Director or whatever. Or, you - if you ever climb the ladder into one of those management positions. Believe it or not, IT folks are just as motivated by pay as anyone else, and I’ve had no problem dangling the dollars in front of rank amateur greenhorn IT people and telling them to hit the books if they want some of the moola. It really saves a TON of money on outsourcing, and it’s always cheaper to pay your own people over paying outsourcers. And frankly, your people would rather work in a fun environment where all their friends are, doing cool advanced stuff, with good bennies and PTO, for less money than a hired gun environment where they get shot into frustrating situations every day doing cool advanced stuff for more money but are pushed to maximize billable hours. I realize that’s contrary to a lot of the prevailing approach in IT where IT managers seem to be told that IT staff have no loyalty and everything is better in the Cloud - but I think the prevailing approach is self-defeating and creates the problems it claims are endemic.

But setting all that aside, as far as #1 is concerned, this is what they invented scripting for. But honestly, this is something that is so easy to do that I do it by hand (since I don’t do it a lot) All I do is:

pjsip show endpoints
arp -a (if endpoint is on same subnet as PBX), otherwise show route | grep first 3 octets then login to router that points to)
at router look at arp table to get endpoint mac (show ip arp | include IP addr, or something)
show mac address | include mac to get port MAC is on
login to switch on that port (if mac is dynamic) and repeat show mac address
recursively continue doing that until you get to the switch the MAC is static
show cdp also helps to get the dns name of the target switch

there you have it. My network is pretty flat the maximum I have to hit is about 3 switches from the router until I get to the port with the MAC I’m looking for. And I have about 30 switches in service.

IMHO, if you asked your outsourcer to do this - and they couldn’t get the PoE phone to power-cycle - they are either complete incompetents, or you have inferior switches that don’t have the capability and thus don’t belong in a larger enterprise.

I’m sorry I was not clear.

From my experience, calling polycom-chk-config from within asterisk doesn’t actually do a full reboot of the phone, only has asterisk tell the phone to update it’s configuration from the server. I believe this is what the system does when updating a template and choosing the ‘Rebuild & Apply’ option.

Apparently there is some kind of intermittent problem when doing this. Using the asterisk command to update the phones BLF field descriptions when people changed would randomly cause display problems after updating templates. The last time I updated a template, “Ellala” was displayed instead of “Ella” on the phones using a template I had changed.

There was no way to know that this happened without walking around and looking at phones or getting a call from a user. The templates was right. Most templates I changed to be ‘Ella’ reflected properly on the phone’s BLF button label, but phones using one template showed ‘Ellala’. The previous person’s name had no ‘la’ in it, so it wasn’t a holdover from them. Having asterisk tell the phones to update their config did nothing. Updating & applying the template again was ineffective. Rebooting the phones from either the web GUI or the phone itself fixed it. I’ve no clue what caused it or was able to identify any pattern to either how it would corrupt the button description or when it would do it.

This is why I continued hunting for another way to reboot them. (I really have no particular preference in using one tool over another, just needed one that works.) You mentioned having “the appropriate notification entry in your sip config files” - maybe I don’t have the proper config?? Cannot say without more details, but focused in on using curl (as I’d found several references to using it online that worked with older firmware, plus it’s been a good tool for me to automate mindless tasks to feed data to web servers in the past) and powered my way through the goofy requirements Polycom introduced sometime before the 5.9.8.5760 firmware & now have a functional script. (I actually figured it out several days before your original post and just now have had time to circle back to update this thread with all the details of the solution I found.)

What you might possibly consider doing (I know, this will sound like heresy) is contact your HP dealer and buy ONE new Polycom phone similar to the ones you have, and then purchase a service contract on it from HP, and then file this as a bug with HP, since the SIP notification telling the phone to reread the config really SHOULD work properly. If It didn’t work at ALL then I’d say Poly just didn’t implement it and that would be a waste of time - the fact that they did implement it means that someone in Poly wanted it to work.

It might take you 6 months to a year to get them to a) acknowledge the bug b) fix it, but it might prove satisfying to stick a sharp object up their behinds from time to time reminding them about the unfixed bug you filed…lol

And by the way - post the script you wrote as others no doubt have run into this before!

Loooooool! My network engineer says even with the dead cold fingers, they would need a saw to chop the individual fingers

How does this play with HIPAA?

First off, thank you for such a detailed response!

Frankly, it was not my call to outsource our switches. Our corporate structure is rather unique & the decision was out of my hands. The phones were going to be outsourced as well, but the massive cost increase upset local management… when I suggested that I might be able to do our phones and so have been stuck with it since.

My job includes just about everything. Literally everything. Power goes out, I’m called to find the tripped breaker or contact the power company. Someone runs out of toner, chances are better than average that they’re going to come tell me about it instead of changing it themselves. A PC is running slow because the user has 65 programs open after being told a dozen times to close stuff she isn’t using? CLEARLY this is my fault. Designing & coding new programs? Yep. (This is honestly the fun part of my job. ) Someone moved their computer and put a divot in the drywall? Guess who… Putting office chairs together, fixing desks, troubleshooting electrical problems, fixing the stupid coffee machines, building cabinets / suggestion boxes / stands, etc, etc, etc… I do the job of about 7 or 8 different IT people, plus part of a maintenance person. I have been offered the role of IT director in the past, but turned it down - you’re going to chuckle at this, but the money just wasn’t worth it. At least it keeps my job interesting as I’m always doing different stuff.

I considered scripting the port lookup - I already wrote a program years ago that extracts a ton of information that’d be needed from our cisco switches & creates a series of web pages from it, essentially making a GUI for our switches - but with the switch port power cycling not doing anything, focused my attention elsewhere. (And I couldn’t agree more - not happy with the company managing our switches. Guy at their NOC told me that the phone was off and refused to believe me when I told him that I was looking right at it and it was on. His getting a response when I told him to ping it didn’t mean anything… Just to the nth degree…)

This is the wrong command. This will only tell the phone to pull the config and check it. If it is different then the phone reboots to load the changes.

The downside here is the last time I checked the polycom-reboot command just does the same thing as the polycom-check-cfg, it only sends a Sync event but lacks the Reboot event, meaning unless the config file has actually changed the phone just resyncs without rebooting.

@RealRuler2112 You could modify sip_notify.conf (or pjsip_notify.conf) and make this change:

[polycom-reboot]
Event=>check-sync

to

[polycom-reboot]
Event=>check-sync\;Reboot=true

Do module reload res_pjsip.so from the Asterisk CLI then do pjsip send notify polycom-reboot endpoint 1234

That should force a reboot on the phone.

That’s interesting @BlazeStudios… any idea why would they not have a reboot event actually reboot the phone? Seems counter-intuitive to me…

I appreciate the information and am going to keep it in my file of tricks in case something changes in the future, but at this point it really is too easy to make the template changes, run ‘rebootphone all &’, disconnect, and go to bed.

.

I plan on publishing the script somewhere once I get some time to clean it up and remove my specific site information @tmittelstaedt. Giving HP money just so I can fight with their support people really isn’t something I’m interested in, especially when it might happen once every other time I update 15 templates & I already have a workaround.

Why isn’t this added by default in FreePBX? Every instance I’ve used always leaves out the Reboot=true

That notify context is not added to reboot the phone, it’s added to get the phone to grab it’s new configuration. A reboot is not always required to do so.

The outsourcer pays for a private line from their server farm to us. (well, technically WE pay for it, LOL) Since it’s their line, their code their servers, the lawyers and government wonks gave us both some papers to sign and poof - they are now on the hook for any data breaches and we are not.

You don’t even want to guess what the monthly per user is.

I do appreciate all this as I have a number of Polys in my stable…I might even use some in production…

That’s not true. There’s two notify options, polycom-check-cfg which is meant to sync the phone, the polycom-reboot is for rebooting the phone. Pretty much all the other brands, except for Yealink that always sends a reboot event, have two notify options. One for syncing and one for reboot. The polycom-reboot is the only reboot option that lacks the Reboot event.