All Extensions Unavailable after installing USG Gateway and changing subnet


#1

Hi New here.

I have a client with a very small 5 user Voip Setup. Everything was working fine. Until yesterday.

Setup is UCM6202 and 5 X GXP1620’s.

Client wanted all phone traffic away from generic office traffic so purchased a Ubiquiti USG Pro 4. Has all computers running on LAN1 (192.168.1.1/24) and all VOIP on LAN 2(10.10.10.1/24).

It was all working fine without the gateway in place with everything going over LAN1. However now it’s on the 10.10.10.1 network none of the phone extensions can be seen and are showing unavailable.

The ip addresses are showing correct on the phones, and the UCM can see them: (I can only post 1 image so will link to them here)

The phones have been added to the relevant extensions but just will not “adopt” for some reason. Im not sure if it’s a local firewall issue as the correct ports have been forwarded as far as I know:

All sips are showing connected too

This is driving me nuts so any advice on what I could look at to get the phones registered would be great. They all reboot etc via the UCM but don’t seem to do anything else. No calls work either in or out, but ill work on that once I’ve got the extensions “available” as it might just kick in once it has.

All ext have had the NAT enabled and the NAT settings have been updated to show the new 10.10.10.1/24 network.

Everything has also been booted and rebooted a number of times

Thanks in advance

UKD.


#2

Have you tried sending the update to the phone via ZeroConfig? If it finds the phone locally, it should be able to reprovision them with the new UCM IP.

If not, run a packet capture on a phone you’re testing and on the UCM, then compare to see if the SIP NOTIFY even reached the phone.


#3

Thanks so much for the reply. I have tried sending the phone the ZeroConfig command, but it doesn’t seems to provision them.

Im not familiar with packet capture. Could you give me a heads up?

Thanks
Carl.


#4

not many who know how to use Wireshark, try to publish the PCAP


#5

I have the pcap file and loaded into wireshark. Might as well be in a foreign language. I have no idea what it means.


#6

Attach both of them in a zip and I’ll check them.

Just tell me what’s the IPs of the phone and the UCM.

If there is sensitive data in the pcap, send it by DM.


#7

thanks man. To be honest im not sure I’ve done this properly. I only have 1 pcap file. and it just shows localhost addresses.


#8

You need to run a capture from each side, UCM and phone.

Quick thought: with only 5 phones, why even use VLAN and complicate everything? You may have routing issues somewhere.


#9

it’s not a vlan. It’s a separate LAN altogether. I think they wanted it this way because they have other offices which would potentially connect up later in the year. I don’t ask why, they are the client LOL


#10

So I have to log into the UCM and enable packet capture? and then login to the phone and enable it too? as in two separate sessions?


#11

Yes but they run at the same time, then you go into ZeroConfig and click Update on the phone you’re pcap-ing on. After that, you end the pcap on both and download the files.

On the phone you need to keep the page opened to end it.

On the UCM, I don’t remember exactly.


#12

It is not a firewall issue for the phones. So, you changed the UCM IP, then set the external host and changed the local subnet to reflect the new in the NAT settings? Did you do the same in the Zero-Config settings by adding/changing the whitelist? In fail 2 ban did you whitelist the new subnet and did you check and remove any valid IPs that may have found their way into the list?

How many phones?


#13

5 phones


#14

So, I took a look at your pcaps. It really seems like a networking issue. Please do what @lpneblett said above, then if it still doesn’t work (I don’t think ZeroConfig would give “Destination not reachable” in a pcap, it would just return a 403 forbidden or similar.

If I understood the network correctly, the gateway (10.10.10.1) cannot find the subnet 192.168.1.0/24 but that subnet can find your 10.10.10.0/24. Those may not even be your correct subnets.

See below:

You can also try to connect a PC to the same network as the phone and ping the UCM. If you get a reply, the issue is not in the network.


#15

I think I may have confused things with my limited knowledge. Ill try and be clearer:

There is one USG controller (router). Which handles all DHCP. It has LAN 1 and LAN 2 (and WAN)

LAN 1 has been set up on 192.168.1.1 (DHCP pool starts from 192.168.1.6)
LAN 2 has been set up on 10.10.10.1. (DHCP pool starts from 10.10.10.6)

LAN 1 and LAN 2 “CAN” (at the moment) communicate with each other.

So both LANS can see each other but to be honest I don’t feel that’s important as they don’t need to.

The UCM (10.10.10.7) can see the WAN too

What I did notice however (and again, im not sure if it is right or wrong) is, when I did a pcket capture of a phone (10.10.10.10 / ext 1003) I got the following:

192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.

So I literally factory reset and deleted all the extensions and phones from the UCM and set up 5 new extensions.

Searched the network, found the phones, added them to the extensions and updated them through ZeroConfig and still they are showing as Unavailable.

What is also strange is when I login to the router gateway (Unifi USG Pro 4) it shows phones dropping off of the network. Like here it shows 10.10.10.8 as not there, yet the UCM can ping it (and so can a terminal session):

Then 10.10.10.9 drops off. Suddenly they come back, but have no IP attached to them.

Im pulling what little hair I have left out!

Carl.


#16

Hi thanks for the advice:

I hadn’t added the 10.10 subnet to the Fail2Ban but have now:

In ZeroConfig I have the following too:

Still wont enable the extentions


#17

OK, so let’s get back to some basics -

Did you check the IP blacklist? If any are already blacklisted, the whitelisting will not override the existing entries. They must be deleted whereupon the whitelist will then prevent them from being blacklisted again.

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

Now that I know that there are only 5 phones, it raises the question of why the need for two LANs? While some simply like this arrangement and listen to those that call it a best practice, such is not always the case. Consider that you likely have a 1GB network and that if all 5 phones are engaged in a conversation, with each call using 86Kbs in each direction, that is only 430Kbs are in use by the phones (0.043%). If there are only 5 phones, then I imagine that the data traffic is also not that much either in the scheme of things - meaning that the number of devices is likely relatively small as well.

I am not suggesting that two LANs is not achievable, but that it is perhaps a more complicated scenario that may not offer any value add to the situation. What value is to be gained versus at what cost and effort and if there is a real security concern, why was not a VLAN considered?

As you are already down the path of two LANs, how is the UCM set with regard to the network mode - switch, dual, route?

In the above, you indicated - “192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.” That is not correct. 10.10.10.10 is the source IP which is attempting to register to the UCM which it is trying to reach at 192.168.1.20. You can see this in the earlier pcap file that Frederick posted -

If you look at the contact header it tells the other end what IP to use when responding back and if you look at the user agent header it indicates the device that is making the register request. SO, we now know that it is a GXP phone at 10.10.10.10 making a request to 192.168.1.20 (UCM).

Also, what is at 192.168.100.1 and why is the phone and this IP taliking to one another. Was the pcap taken from the phone?

So, this raises the question of the network mode.

Additionally, what does the NAT page look like as well? And if you factory reset a phone and the UCM saw the phone and you provisioned it, what does the phone show for SIP server and for the provisioning server?


#18

Hi

Thanks for the response. I will try and address each point as best I can. Your points in BOLD.

So, just to point out I have NOT factory reset the UCM, because there were a lot of settings in it that took a while to get right.

I have however factory reset all of the phones.

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

There is nothing in the blacklist at all:

You indicated that the USG is supporting two LANS. Both are physically segregated up to the USG. Is there a separate public IP for the data and voice?

Im slightly confused. The two lans are not physically separate. They come from one Router/Gateway and are set up like this:

with the gateway supplying the DHCP etc:

Both of these networks can communicate. So are not segregated. More integrated at present.

Now that I know that there are only 5 phones, it raises the question of why the need for two LANs? While some simply like this arrangement and listen to those that call it a best practice, such is not always the case. Consider that you likely have a 1GB network and that if all 5 phones are engaged in a conversation, with each call using 86Kbs in each direction, that is only 430Kbs are in use by the phones (0.043%). If there are only 5 phones, then I imagine that the data traffic is also not that much either in the scheme of things - meaning that the number of devices is likely relatively small as well.

Although I agree with what you are saying regarding two separate LANS being OTT, but these were the clients requests, and therefore as much as I would try and chat to them about it, it’s primarily their end decision.

As you are already down the path of two LANs, how is the UCM set with regard to the network mode - switch, dual, route?

It’s set like this:

In the above, you indicated - “192.168.1.20 was the OLD IP address of this phone, and this was after a factory reset too.” That is not correct. 10.10.10.10 is the source IP which is attempting to register to the UCM which it is trying to reach at 192.168.1.20.

Yes sorry, my bad the UCM used to be on 192.168.1.20, but now shows an IP of 10.10.10.7

If you look at the contact header it tells the other end what IP to use when responding back and if you look at the user agent header it indicates the device that is making the register request. SO, we now know that it is a GXP phone at 10.10.10.10 making a request to 192.168.1.20 (UCM).

Ok so this is the bit im getting confused with. Why would it still be requesting the old IP of the UCM, have I missed a setting somewhere to say “it’s not on that IP anymore”. Unless this phone didn’t factory reset properly. It’s hard to be 100 sure as im on a VPN and not physically on site.

Also, what is at 192.168.100.1 and why is the phone and this IP talking to one another. Was the pcap taken from the phone?

192.168.100.1 is me VPN’ing into the network from home.

Additionally, what does the NAT page look like as well? And if you factory reset a phone and the UCM saw the phone and you provisioned it, what does the phone show for SIP server and for the provisioning server?

Nat page looks like this:

Im doing this as we speak to show you the steps I take.

1: Phone at 10.10.10.11 = factory reset
2: ZeroConfig discovers it

3 I edit it and assign it to an extension:

4: save and update
5: Send the NOTIFY to the phone

Now when logging into the phone and after being forced to change admin password it shows this as SIP status:

So it’s not registering.

I think what may be confusing things a little is the possibility of one of the phones not factory resetting fully and still having the 192.168.1.20 UCM address in it.

I hope this helps in some way.

Carl.


#19

Do you have Option 66 or similar by any hazards? This would prevent the UCM from sending a NOTIFY since the phone would try to grab the DHCP Option, which may contain the old IP at this moment.

If phones are detected by the UCM, you should be able to provision them.

Also, in your step 2 above, the phone should indicate the model/brand and firmware version. You shouldn’t have to choose it manually.


#20

Well, a separate LAN altogether makes me think of a segregated LAN, which I was going to question unless you had 2 public IPs. So, it is not really separate until you eliminate the static route that allows the two LANs to currently “talk” to one another.

So, what Frederick indicated about the discovery process is correct. You can do a discover on a single IP and see if that will then cause the UCM to get a full description of model, F/W, etc. His idea about DHCP options may also play a part.

The phone screenshot you showed, indicates that the phone is not provisioned; otherwise it would show the IP of the UCM and an extension number. It appears to be reset pending provisioning.

Here is what you can do as a test to confirm connectivity.

In the phone GUI, in Account one, enable it. Then enter in the extension number in the username and authID fields. Then copy the password from the UCM, Extension settings, SIP?IAX password and insert that into the phone’s password field. Then enter the IP of the UCM into the SIP server field. Hit save and apply and see if the phone registers.

Let us know the outcome.