Remote phone not registering


(Mark Sprague) #1

I have an s505 and a s705 I’m trying to set up for remote users. I am not in the office but have been able to get them to provision, connect to the VPN running on the freepbx box, download the firmware, background image, etc. I just can not get the accounts to register. I am having the hardest time. I’ve packet captured and can not figure out why it’s getting rejected. It is listing the sip server as .1 of the subnet of the VPN. Obviously the pbx is not .1 of the VPN subnet, it is on a different subnet and is .250. I would assume that freepbx is somehow doing a redirect internally?

Has anyone run into this before? I can post more specific settings if needed.


(Ricardo) #2

“ sip server as .1 of the subnet of the VPN. Obviously the pbx is not .1 of the VPN subnet, it is on a different subnet and is .250”

It sounds very strange, remote devices can get provisioning from FreePBX, but couldn’t get registration.

Is correct registering server address on provisioning template? Have you try with manual configuration on one of remote devices?

Is hard to said what exactly could be causes.


(Defcomllc) #3

I literally just went through setup and testing of a FreePBX and PBXact systems built in VPN to connect S705’s remotely here in this thread. May have info you are missing or need. I have them setup and working great in multiple locations right now.:


(Defcomllc) #4

After some really good input in my thread linked above, it was a Firewall/Responsive Firewall issue. The EASIEST way to do this we found is to register and provision the phone onsite within the local LAN as a normal phone that way it registers 1 time locally. Then, switch on VPN and take it offsite and your g2g. Otherwise you will need to whitelist IP’s for initial registration if doing everything 100% remotely…

Every time my client needs another remote VPN phone, I have them grab another S705 brand new out of the box and plug it into the Cat6 cable I have hanging and labeled in the server room and tell them Ill let them know when its ready to take offsite. I then VPN into my clients site, open the FreePBX/PBXact webgui, setup the extension, push the registration and let it provision via EPM locally. Once thats all done and its working onsite, I turn on VPN for that phone, change the template in EPM to my Remote Sangoma template and push the new config to the phone. It grabs the new config and now says VPN Activated and I can see it within VPN. Tell client they can take it anywhere they want now and use it…


(Lorne Gaetz) #5

If you are using the built in VPN client in the phones, and you are using the VPN server configured in System Admin, then you probably have a config that looks like this:

image

The subnet in the above case is 10.8.0.0/24 and that means the PBX VPN IP is 10.8.0.1, which you can see from the command line for the tunnel interface:

# ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1

Once the phone is on the VPN, it will get a VPN IP in the range 10.8.0.x, and it will be configured to register to 10.8.0.1.


(Mark Sprague) #6

lgaetz, that is exactly what I am doing/getting. Do I really have to take these phones onsite for them to register as defcomllc stated?

I would think once the VPN is connected it should be able to communicate with the sip server to register. Its getting its config from EPM and if I change the background logo it changes so its communicating. It also says VPN active and I see it connected. Is this still possibly a firewall issue?

I tried manually setting the sip server to the LAN IP of .250 in the s705 and still nothing.

defcomllc, still reading through your linked thread.


(Defcomllc) #7

I did not say you HAVE to take them onsite to get them registered. I said that has been the quickest/easiest process before deploying them into the field. You can do them all 100% remotely, but you must white list the WAN IP at the remote site the phone is trying to register from…

Did you create a separate remote template for these remote phones in EPM that has the external address selected? Did you try turning firewall off to see if everything works to eliminate that as the cause?


#8

Something is strange here. If the VPN connection is working, e.g. from the PBX you can ping the phone at 10.8.0.x, then the phone should register to 10.8.0.1 . If this is failing, does anything appear in the Asterisk log when it attempts to register? If not, does anything appear in sngrep?


(Mark Sprague) #9

@defcomllc why should you have to white list the WAN IP of the remote site? Isn’t that the purpose of the VPN? If I can get the config file by having port 1443 open to the world and can download and provision the phone: it gets the VPN settings/credentials/cert and reboots connected to the VPN and tries to registered to the local IP, the WAN IP of the remote doesn’t(or I should say shouldn’t) come into play. I have factory defaulted several times and every time it does this process. Whitelisting the public IP shouldn’t matter as its trying to connect on a local IP via the VPN not the WAN IP of PBX. Am I missing something here or thinking about this wrong? BUT just to try it I did forward port 5060 from my office IP to the PBX and still nothing.

I did create an external template in EPM. I am not running the firewall on the PBX as it is behind a firewall, I could DMZ it quick and try it.

@Stewart1 I will check the logs and sngrep this evening when I get some free time.


(Defcomllc) #10

If you’re getting the config file then it shouldn’t matter. The problem for me setting up remote VPN s705 was using EPM with one touch provisioning to GET the config file in the first place from the remote site. It would not since the phone had never registered 1x so I had to white list the IP or register 1x on-site before deploying. This is all discussed and spelled out in my thread.

If you already got the remote phone to register, grab the config and your phone says VPN Activated then you have a completely different issue…


(Mark Sprague) #11

@Stewart1: Attached is the log file: I did set the VPN range to be 192.168.40.X

[2021-06-16 18:07:39] NOTICE[12552] acl.c: SIP Peer ACL: Rejecting ‘192.168.40.2’ due to a failure to pass ACL ‘(BASELINE)’
[2021-06-16 18:07:39] NOTICE[12552] chan_sip.c: Registration from ‘“Mark-200” sip:200@192.168.40.1:5060’ failed for ‘192.168.40.2:5060’ - Device does not match ACL
[2021-06-16 18:07:40] NOTICE[12552] acl.c: SIP Peer ACL: Rejecting ‘192.168.40.2’ due to a failure to pass ACL ‘(BASELINE)’
[2021-06-16 18:07:40] NOTICE[12552] chan_sip.c: Registration from ‘“Mark-200” sip:200@192.168.40.1:5060’ failed for ‘192.168.40.2:5060’ - Device does not match ACL

I looked up the ACL issue and it appears that there was nothing set in the extension advance settings under the permit IP’s. I added 0.0.0.0/0.0.0.0 as to what I found in another thread and it seems to have “fixed” this issue as the phone boots and momentarily registers but then the phone freezes and reboots with tiny text. It is stuck in this cycle.


#12

The ACL anomaly seems strange; for a long time the default Permit setting has been 0.0.0.0/0.0.0.0 – if you create a new extension, what shows in this field?

Why is this a chan_sip extension?

I know nothing about these phones, but they have a syslog feature and with luck that will show why they are freezing / crashing. See
https://wiki.freepbx.org/pages/viewpage.action?pageId=63668582
Do both the S505 and S705 fail the same way?
Confirm that the phones are loading current firmware.

Other options:

Try setting it up as a pjsip extension.

Try setting up a softphone on the extension (temporarily shutting down the S505) and see whether it behaves properly.

Try a simple configuration (no BLFs, no programmable keys, only one line button, etc.) If that works ok, add back the features until you find the one causing trouble.


(Mark Sprague) #13

@Stewart1 If I make a new pjsip there are not Permit/deny settings that I see. If I create a new chan_sip it is both 0.0.0.0/0.0.0.0.

I’m slowly working on the rest in between other projects. I don’t physically have the s505 in my hands, it was working 3 weeks ago and stopped. I have been remoting into the clients work computer at home to get into the phone. The S705 is a spare phone I have in my office I’ve defaulted and am testing with. I have narrowed the small text down to when I hit reboot from the web config. If I unplug and plug it back in, all is normal. I couldn’t find anything in the logs on this.

Update as I never posted this over the weekend apparently:
So I seem to have figured it out. Sometimes it will get a DHCP VPN IP, others I will have to assign on. Then it will get the configuration assigned to it but won’t registered, if I change the template(to a duplicated one) and reboot the phone or login and auto provision it, it will get the new updated config and connect, I can then change back the template and push it from EPM and all is still good. But for some reason it will not do all this in 1 set from a factory default state, have tried many of times after I got my s705 working and would default it.


(system) closed #14

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.