All Extensions Unavailable after installing USG Gateway and changing subnet


#8

You need to run a capture from each side, UCM and phone.

Quick thought: with only 5 phones, why even use VLAN and complicate everything? You may have routing issues somewhere.


#9

it’s not a vlan. It’s a separate LAN altogether. I think they wanted it this way because they have other offices which would potentially connect up later in the year. I don’t ask why, they are the client LOL


#10

So I have to log into the UCM and enable packet capture? and then login to the phone and enable it too? as in two separate sessions?


#11

Yes but they run at the same time, then you go into ZeroConfig and click Update on the phone you’re pcap-ing on. After that, you end the pcap on both and download the files.

On the phone you need to keep the page opened to end it.

On the UCM, I don’t remember exactly.


#12

It is not a firewall issue for the phones. So, you changed the UCM IP, then set the external host and changed the local subnet to reflect the new in the NAT settings? Did you do the same in the Zero-Config settings by adding/changing the whitelist? In fail 2 ban did you whitelist the new subnet and did you check and remove any valid IPs that may have found their way into the list?

How many phones?


#13

5 phones


#14

So, I took a look at your pcaps. It really seems like a networking issue. Please do what @lpneblett said above, then if it still doesn’t work (I don’t think ZeroConfig would give “Destination not reachable” in a pcap, it would just return a 403 forbidden or similar.

If I understood the network correctly, the gateway (10.10.10.1) cannot find the subnet 192.168.1.0/24 but that subnet can find your 10.10.10.0/24. Those may not even be your correct subnets.

See below:

You can also try to connect a PC to the same network as the phone and ping the UCM. If you get a reply, the issue is not in the network.


#15

I think I may have confused things with my limited knowledge. Ill try and be clearer:

There is one USG controller (router). Which handles all DHCP. It has LAN 1 and LAN 2 (and WAN)

LAN 1 has been set up on 192.168.1.1 (DHCP pool starts from 192.168.1.6)
LAN 2 has been set up on 10.10.10.1. (DHCP pool starts from 10.10.10.6)

LAN 1 and LAN 2 “CAN” (at the moment) communicate with each other.

So both LANS can see each other but to be honest I don’t feel that’s important as they don’t need to.

The UCM (10.10.10.7) can see the WAN too

What I did notice however (and again, im not sure if it is right or wrong) is, when I did a pcket capture of a phone (10.10.10.10 / ext 1003) I got the following:

192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.

So I literally factory reset and deleted all the extensions and phones from the UCM and set up 5 new extensions.

Searched the network, found the phones, added them to the extensions and updated them through ZeroConfig and still they are showing as Unavailable.

What is also strange is when I login to the router gateway (Unifi USG Pro 4) it shows phones dropping off of the network. Like here it shows 10.10.10.8 as not there, yet the UCM can ping it (and so can a terminal session):

Then 10.10.10.9 drops off. Suddenly they come back, but have no IP attached to them.

Im pulling what little hair I have left out!

Carl.


#16

Hi thanks for the advice:

I hadn’t added the 10.10 subnet to the Fail2Ban but have now:

In ZeroConfig I have the following too:

Still wont enable the extentions


#17

OK, so let’s get back to some basics -

Did you check the IP blacklist? If any are already blacklisted, the whitelisting will not override the existing entries. They must be deleted whereupon the whitelist will then prevent them from being blacklisted again.

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

Now that I know that there are only 5 phones, it raises the question of why the need for two LANs? While some simply like this arrangement and listen to those that call it a best practice, such is not always the case. Consider that you likely have a 1GB network and that if all 5 phones are engaged in a conversation, with each call using 86Kbs in each direction, that is only 430Kbs are in use by the phones (0.043%). If there are only 5 phones, then I imagine that the data traffic is also not that much either in the scheme of things - meaning that the number of devices is likely relatively small as well.

I am not suggesting that two LANs is not achievable, but that it is perhaps a more complicated scenario that may not offer any value add to the situation. What value is to be gained versus at what cost and effort and if there is a real security concern, why was not a VLAN considered?

As you are already down the path of two LANs, how is the UCM set with regard to the network mode - switch, dual, route?

In the above, you indicated - “192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.” That is not correct. 10.10.10.10 is the source IP which is attempting to register to the UCM which it is trying to reach at 192.168.1.20. You can see this in the earlier pcap file that Frederick posted -

If you look at the contact header it tells the other end what IP to use when responding back and if you look at the user agent header it indicates the device that is making the register request. SO, we now know that it is a GXP phone at 10.10.10.10 making a request to 192.168.1.20 (UCM).

Also, what is at 192.168.100.1 and why is the phone and this IP taliking to one another. Was the pcap taken from the phone?

So, this raises the question of the network mode.

Additionally, what does the NAT page look like as well? And if you factory reset a phone and the UCM saw the phone and you provisioned it, what does the phone show for SIP server and for the provisioning server?


#18

Hi

Thanks for the response. I will try and address each point as best I can. Your points in BOLD.

So, just to point out I have NOT factory reset the UCM, because there were a lot of settings in it that took a while to get right.

I have however factory reset all of the phones.

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

There is nothing in the blacklist at all:

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

Im slightly confused. The two lans are not physically separate. They come from one Router/Gateway and are set up like this:

with the gateway supplying the DHCP etc:

Both of these networks can communicate. So are not segregated. More integrated at present.

Now that I know that there are only 5 phones, it raises the question of why the need for two LANs? While some simply like this arrangement and listen to those that call it a best practice, such is not always the case. Consider that you likely have a 1GB network and that if all 5 phones are engaged in a conversation, with each call using 86Kbs in each direction, that is only 430Kbs are in use by the phones (0.043%). If there are only 5 phones, then I imagine that the data traffic is also not that much either in the scheme of things - meaning that the number of devices is likely relatively small as well.

Although I agree with what you are saying regarding two separate LANS being OTT, but these were the clients requests, and therefore as much as I would try and chat to them about it, it’s primarily their end decision.

As you are already down the path of two LANs, how is the UCM set with regard to the network mode - switch, dual, route?

It’s set like this:

In the above, you indicated - “192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.” That is not correct. 10.10.10.10 is the source IP which is attempting to register to the UCM which it is trying to reach at 192.168.1.20.

Yes sorry, my bad the UCM used to be on 192.168.1.20, but now shows an IP of 10.10.10.7

If you look at the contact header it tells the other end what IP to use when responding back and if you look at the user agent header it indicates the device that is making the register request. SO, we now know that it is a GXP phone at 10.10.10.10 making a request to 192.168.1.20 (UCM).

Ok so this is the bit im getting confused with. Why would it still be requesting the old IP of the UCM, have I missed a setting somewhere to say “it’s not on that IP anymore”. Unless this phone didn’t factory reset properly. It’s hard to be 100 sure as im on a VPN and not physically on site.

Also, what is at 192.168.100.1 and why is the phone and this IP talking to one another. Was the pcap taken from the phone?

192.168.100.1 is me VPN’ing into the network from home.

Additionally, what does the NAT page look like as well? And if you factory reset a phone and the UCM saw the phone and you provisioned it, what does the phone show for SIP server and for the provisioning server?

Nat page looks like this:

Im doing this as we speak to show you the steps I take.

1: Phone at 10.10.10.11 = factory reset
2: ZeroConfig discovers it

3 I edit it and assign it to an extension:

4: save and update
5: Send the NOTIFY to the phone

Now when logging into the phone and after being forced to change admin password it shows this as SIP status:

So it’s not registering.

I think what may be confusing things a little is the possibility of one of the phones not factory resetting fully and still having the 192.168.1.20 UCM address in it.

I hope this helps in some way.

Carl.


#19

Do you have Option 66 or similar by any hazards? This would prevent the UCM from sending a NOTIFY since the phone would try to grab the DHCP Option, which may contain the old IP at this moment.

If phones are detected by the UCM, you should be able to provision them.

Also, in your step 2 above, the phone should indicate the model/brand and firmware version. You shouldn’t have to choose it manually.


#20

Well, a separate LAN altogether makes me think of a segregated LAN, which I was going to question unless you had 2 public IPs. So, it is not really separate until you eliminate the static route that allows the two LANs to currently “talk” to one another.

So, what Frederick indicated about the discovery process is correct. You can do a discover on a single IP and see if that will then cause the UCM to get a full description of model, F/W, etc. His idea about DHCP options may also play a part.

The phone screenshot you showed, indicates that the phone is not provisioned; otherwise it would show the IP of the UCM and an extension number. It appears to be reset pending provisioning.

Here is what you can do as a test to confirm connectivity.

In the phone GUI, in Account one, enable it. Then enter in the extension number in the username and authID fields. Then copy the password from the UCM, Extension settings, SIP?IAX password and insert that into the phone’s password field. Then enter the IP of the UCM into the SIP server field. Hit save and apply and see if the phone registers.

Let us know the outcome.


#21

Yep I will. Thanks again for all your help.

Just out of curiosity what is meant by option 66


#22

The DHCP Option 66 (or 120 in some cases) is used to tell every phone on the network (via DHCP) where to find their provisioning server (also called TFTP Boot Server in some routers).

If Option 66 is configured, it overwrites the UCM NOTIFY url and the phone just tries the IP/FQDN it got in DHCP.

This would be configured in the DHCP options of the USG.

See : https://help.ui.com/hc/en-us/articles/360012097513-UniFi-USG-How-to-Configure-Custom-DHCP-Options


#23

ok so when I did it this way,

It registers and shows up in the UCM as registered.


#24

This is called manual provisioning. So, it demonstrates that connectivity can be achieved.

In the phone, input the following in the provisioning server field and set it to HTTPS
10.10.10.7:8089/zccgi

Then, in the phone, change the voicemail access code from whatever it may be to something else so that upon re-provisioning you can tell that it did take it. Then either reboot the phone or if there is a provisioning button, press it and when it returns check and see if the voice mail code changed. If so, then you populate the other 4 phones with the same config server and reboot them and see if they pick it up.

Let us know.


#25

If the URL isn’t there anymore or has changed, check your DHCP Options. It really sounds like that.


#26

Can this be done over VPN? Im not physically there until Tuesday


#27

I checked what was mentioned earlier re Option 66 etc and there are no additional DHCP options set