Using (purchased) Endpoint Manager blocks remote network - manual provision works fine

We are noticing an issue with a few of our FreePBX systems. Responsive firewall is enabled on the latest version of SNG7. Remote phones are behind a natting router and it’s WAN IP address is added as “trusted” in the firewall and also in intrusion detection. SIP ALG is disabled. The phone won’t register when it is set up in EPM but if I factory default the phone and manually enter the sip password, it works fine. The phones are remote to the PBX. This happens when there might have been a ban but then Fail2Ban cleared. Phones have been provisioned via EPM and WORKED from the same network before. One phone previously provisioned with EPM will work, the others not. It’s only when they are provisioned with EPM. I can always get them to work when manually registering. Anyone else seeing this? Thanks!

Responsive Firewall only allows SIP (or IAX) registration attempts from untrusted hosts, not provisioning. Once a phone successfully registers as a SIP peer, then and only then, other services are opened up to that IP by Responsive. Phones can only be provisioned from IPs that are marked as trusted, or from IPs where a peer has successfully registered.

1 Like

Thank you for the reply. In this case, the WAN IP was trusted. 5 phones were taken to site that were previously provisioned with (purchased) EPM and they worked while onsite. Someone was trying to get a smartphone registered on WiFi there and got the WAN IP banned, even though it was already in ID and trusted in the firewall. Unbanned it. Then all but one phone failed to register. Tried over and over, factory defaulted one phone and it would not provision with tftp (udp69) or http (tcp83) with EPM. Manually entered the SIP ext and password, and it registered. I did the rest (3) phones the same. They would not register having been provisioned with EPM, but a factory default and manual entry let them register. We have seen this before but it was always because the WAN IP was not trusted. This time, it was.

Shot in the dark here, is your EPM template that is used for the outside phones set to external?

Yes, it is.

Did you open on your Router/Firewall the ports needed for provisioning?
We use http so we have TCP 83 open on our firewall and are phones provision just fine when using http://ipaddress:83

The required ports are open.
Another, different but related situation follows.
All remote phones are provisioned with EPM and working fine for days. The WAN IP address is in Intrusion Detection and also in the trusted zone in the firewall. Then the carrier’s dynamic IP address cycles and the WAN IP address where the phones are changes. Bam, IP is banned in F2B and all phones unregistered. It’s not until the new WAN IP address is added to the trusted zone in the firewall and in ID can the phones register again.
I think there is some relationship between EPM and the security mechanisms that are causing the phones to not register. To my knowledge at this time, phones not provisioned with EPM do not behave this way. One IP was even banned on another system when it was already in the F2B whitelist.

I have encountered this many times… this makes sense to me now. Its by design. :slight_smile: I never knew that.

1 Like

If you know how to use wireshark, what do you see?
Also, what do you see in the tftp logs?

Guys EPM has nothing to do with this. Your chasing a ghost blaming EPM. EPM just gives the phone a config file. Nothing more.

Your getting banned as your IP is changing as you just stated. So the IP is no longer whitelisted so it gets blocked.


I’m not pointing fingers at EPM, rather something is wrong with his firewall or firewalls… tftp logs would tell him if the phone is even trying to connect…

This is the event set that the Responsive Firewall was created. It sounds like you need to review your RF settings.

It’s also possible that you need to set up UCP so that these external phones can be more effectively managed through the Firewall Interaction with UCP.

The responsive firewall works by watching for, and limiting/blocking SIP packets from un-trusted IPs. From the point of view of iptables, a flood of legitimate SIP registration requests is identical to a flood of malicious SIP registration attempts. When the dynamic IP changes at a site with many devices, the re-registration flood would be flagged by responsive as an attack, and block the IP. Responsive is more suitable for a site with a small number of devices.

If a fixed IP is not a possibility, set up a DDNS client at the remote site and whitelist the FQDN, this will eliminate Responsive from the picture.

1 Like

This may or may not be related, but we have a client with a half-dozen remote phones. Yesterday two of them unregistered and would not re-register. The GUI on them (an S705 and an SPA 514g) said “Registration Failed”.

Updated system to 10.13.66-22 (from -20), rebooted, removed from EPM Pro and re-added, reset phones to default, all to no avail. The other four phones were fine.

Finally changed their config from the remote config using the public IP of the system to the internal IP that routes over the VPN and they registered without issue.

We did not identify the cause of the problem; it was a busy day and we just needed them back up ASAP.

Edit to add: We have the firewall off because it was causing GUI access issues.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.