S705 Wont Remote Provision

Ok, so I setup a new client yesterday with PBXact and all S705. Port 84 is port forwarded along with the normal PJSIP UDP and TCP ports and RTP ports to the PBXact static LAN IP. Phones were claimed by MAC in Sangoma Portal and Redirect settings are properly setup.

Extensions all setup and EPM is being used. In Extension Mapping MAC entered and extension selected.

PBXact and all phones via VLAN are all using a dedicated VOIP VLAN (192,168.15.0/24). Within Untangle NG this entire VLAN is bypassed.

When plugging in phones yesterday internally, auto provision worked great. All phones on the local VOIP VLAN in the office provisioned and work great.

Now, I have a Remote phone Im trying to setup (another S705), Port 84 is forwarded to PBXact, phone is added and claimed in Sangoma Portal just like all the internal phones… Redirect settings are exactly the same which is our FQDN and the username and password from SysAdmin-Provisioning protocals… Phone is setup with an extension and extension mapping within EPM with MAC.

I have full remote access to the office both PBXact Admin interface and Untangle NG.

When I plug the phone in here at the remote site, it boots up, grabs an ip, says retreiving redirect (watching sessions in Untangle NG, I see port 84 pop up when the phone says retrieving redirect config) and NG says it was forwarded 84 to my PBXact static LAN IP.

The weird part is Asterick Full Log shows nothing. doesnt show any connection attempt. I was puzzled as Ive done this before with success so I tried adding it to a second system (a FreePBX) system, I just updated the redirect settings in the Portal for that MAC/Phone and same result.

Any help here on what the heck is going on?

does the remote site have the same VLAN setup as the main site?

No, the remote site is just a standard internet connect router to the outside world. When I plug this phone into the remote site internet, and the screen says redirect retreiving config, I see the Main site NG Firewall Sessions log port 84 pop up with Source IP the WAN of the remote site router and it says forwarded to PBXact LAN IP… So redirect service is working…

Then, based on what you posted, it is pulling a config with a VLAN that this site does not have. So nothing is connecting.

You need a separate template in EPM with a non VLAN config.

No thats not the case and I didnt give you all the info so I understand why you are saying that.

VLAN is not configured anywhere in PBXact. Nothing is configured VLAN wise in EPM or PBXact. VLAN tagging takes place on the switch ports.

So VOIP VLAN 15 ( is configured as an interface in Untangle. the ports on the 48 port POE LAN switches that IP phones are plugged into are tagged with VLAN 15 so those internal phones are handed DHCP addresses within the VOIP VLAN. PBXact’s LAN IP is statically set to…

Weird thing is phone says Retrieving Config (displays sangoma redirect url) then says Retrieving background image, retrieving ringtones, checking firmware then it just loads to the default Sangoma screen with no config… During all this I see the connection coming into NG Sessions and Port 84 and says forwarded to PBXact Server IP. I dont understand why nothing shows in the Asterisk Full log…

Check the http log on PBXact for the incoming connection. Make sure you are seeing the incoming connection there.

tail -f /var/log/httpd/access_log

Make sure you see it get the 200 OK response. (yealink Example here)

Well I just found the culprit. Its PBxact Firewall or Intrusion Detection. I just turned them both off to see if they were causing it then plugged the phone back in at the remote site. Sure enough it pulled the PBXact server LAN IP and provisioned. Its all setup and working…

So now why is the PBXact firewall blocking? I thought the whole point of the Firewall/Responsive/Intrusion was to allow remote connections through that properly authenticated??? Responsive firewall worked in the past letting remote endpoints through

But you had a new device that had no prior auth and then a bunch of failed connections to get a config.

Nothing was reporting as banned or blocked. I checked there multiple times during all this…

Now that you have a single registered device at that address, you will not have a problem with the next one.

Edit: assuming you have the intrusion detection sync enabled to registered endpoints.

Im going to turn the Firewall and Intrusion Detection back on 1 at a time and see if all plays nice still…

Responsive allows SIP registrations from source IPs that are not whitelisted, not full access to all services. Once a device successfully registers to Asterisk, then the source IP is opened up for other services (UCP, provisioning, phone apps). So you have a chicken-egg situation on a new unprovisioned phone. You can’t provision without registration, and you can’t register without provisioning, which is why the very first time a phone provisions, it must do so from a zone specifically allowed by the provisioning service. After that it will work as expected, unless something changes to block the sip registration.

1 Like

So is the best practice here in this situation to plug the phone into the local LAN at the main site, let it provision and register then take it to the remote site to prevent this in the future?

No, the best thing is to put the remote site in the network section of the firewall until you have a device programmed.

I spoke to soon. So after the phone pulled the config, rebooted, it then showed the correct PBXact IP during boot up the 2nd time, it then loads to the main screen and shows the correct extension but I have a red line over the 3 LINES and it wont make calls… It also failed to pull in the background image. So it obviously communicated with PBXact pulled a config and correct extension but the 3 LINES show a black phone with red line through it and any number I dial including *43 or *97 its just dead. no ringing…

Additional, this is all I keep seeing every 8 minutes in Asterk Logs > Full

And I did add temporarily the remote site WAN IP until Firewall Trusted

Also, I have Intrusion Detection Firewall SYNC enabled and just noticed that IP’s Ived add to the Network Tab as Trusted are not syncing or showing in Intrusion detection whitelist and I dont see any way to add/whitelist IP’s manually with Sync enabled???

Maybe the portal being down has something to do with me pulling my hair out with all this…

status.sangoma.com say portal is not down but it sure is down for me. Its not me, every other website is working… @lgaetz is portal down??