Trouble with new rollout - UCM6208, GXP2160, VPN, Eventlist BLF,


Hey folks,

Laying this all out so that someone may catch whatever I’m doing wrong.

My church reached eol with an eight phone PBX NEC setup. You know the ones where you need a seperate module to get VOIP going, or add another 4 extensions…

Cost to bring current eclipsed getting a UCM6208 and 10 GXP2160s. (latest firmware all around). To be honest GSWave is probably what tipped the scales.

5 lines, 4 voice, one fax. And we wanted to expand our prayer ministry (have a television program that airs 5 times from Friday evening through lunch on Mondays. People call in for prayer from across Canada. Nevermind the fact that the telco provider is charging $200/m to bring the phonelines in through an Arris Voip box.

3 other campuses with a single phone line in. And internet. Figured if the central site is set up right the other ones could be connected in directly (over VPN) or interconnect UCMs (seems like overkill AND well I have enough Eventlist BLF issues currently that I don’t want to compound with remote UCM Eventlist BLF).

Had some teething pains. First I misunderstood how to properly setup SIP trunk with Flowroute, that sort of thing. I am in no way an expert. frankly I blame (naming not shaming) @whowe82 for showing me Grandstream, and @lstutesman for making it look all so easy. Thanks guys. In under a year the system will pay for itself in cost savings.

Currently have two trunks, with 4 analog lines tied to the analog trunk and the aforementioned flowroute.
All phones are in the same pickup group. I haven’t tied in the fax line yet. I am trying to get everything cleared up before I port the main number to Flowroute and close out the telco contract.

I’m not really concerned about throughput because ISP gave me a gigabit fiber connection last year.

Firewall is pfsense 2.4.4-release-p3. Needed to read Flowroutes fine print to get that to work (Sonicwall has a similar issue with Flowroute). Just stating so that if anyone has a similar issue they have a shorter time sorting it out than I did. PFsense will randomize you SIP port!

Frankly I’m shocked that it was only 1 in 200 calls that worked instead of 1 in 20000.

Firewall is VPN server. And handling all of my vlans.

Phones are own vlan, the UCM is on main subnet. Running DDNS and IPSEC for remote access to SIP, locked out (403 - Forbidden) when I try and log into UCM over VPN from outside. But no issues with calls over same connection. I can access any other portion of the network, just locked out of UCM - despite Fail2Ban having the VPN local address pool whitelisted.

Originally most of the phones were in the same ring group set to ring simultaneously, but we had the unfortunate effect of phones continuing to ring AFTER someone had answered at another extension (think of how if you pick up on a GSWave the hard phone will continue to ring) - this isn’t so bad when phones are isolated, or you can see that someone else has picked up the call and you just missed it - but read on for my BLF issues. Solved by setting extensions to ring in order, and slightly mitigated by BLFs, and the ability to click a BLF to answer. But I’m open to other suggestions. Primary stakeholder is upset that he could be on the line for over a minute without anyone picking up. I think I could set the VPKs to show the Line instead of account (not certain as to how, and I’d have to redo the process once we make the jump to full SIP, correct?), but is that going to resolve the eBLF issue below?

I’m at the point now where I have each phone with it’s own Eventlist BLF, showing itself and the other extensions on the MPKs. I’m not sure if I should have given each phone it’s own Eventlist BLF, but the phones seemed to be dealing with a signaling storm until I did. By that I mean random MPKs lit in red or green, some phones BLFs working fine until they just weren’t. To be honest I don’t remember how long I left it as a single eventlist before giving each extension its own.

The BLFs aren’t always accurate though (too often if I poll the phones (easy to do when two pairs of them are within eyesight of each other) I can see that phones are listed in red that aren’t even active, or green that are active, or no BLF data (hit the button to dial and nothing happens). Or not blinking when another extension is being called. And coworkers do use the BLF keys when they work. Especially as shortcuts for call transfers (we encountered reparking issues - one particular caller (principal stakeholder) might talk to 5 extensions in turn, call would drop on 2+ park).

Other programmed MPKs work when this happens though. I have paging coded through the actual phones on MPK11 and MPK12 coded for intercom through the default model template (along with date/time). Not sure as to the order of precedence otherwise I might set up speed dial to extensions when eBLF fails, but like I said above BLF is part of methodology to deal with Ring in Order with 10+ extensions (counting GSWave).


Wow mate, lots of issues…

Firstly - I originally used PFSense with Alix boxes until I ventured to Watchguard and Mikrotik Firewall Routers - majority of installations is with Mikrotik RB3011 units unless HIPAA where the Watchguard comes into view.

  • How many extension telephones have you or softphones active? Is it just 10 x handsets and some softphones?
  • How many locations do you need handsets ringing for incoming calls? Is it just 4 or so?

Happy to help as it should not be this horrendous an experience for you or for the stake holders…

Pm me for further and I will assist.


OK, PFSense will work just fine as will SonicWall. Both have a setting for outbound source port rewrite that must be disabled in addition to the typical port forwarding and disabling of SIP ALG. Do a Google search or YouTube for PFSense and SIP.

Try to access the UCM - you are locked out of the UCM because either:
a) you have enabled a whitelist for UCM access and failed to add the other addresses, or
b) the addresses you have tried to log in from are blacklisted with too many failed attempts.

Am uncertain about the statement of primary stakeholder being on the line for over a minute, unless speaking of the ring in order timing.

The Eventlist need only be one in your case that all phones are tied to. There is no reason to create 10 lists (1 for each) as they are redundant. The list can contain all 10 extensions and then the phones need only contain the others as subscribing to itself is not really meaningful.

For 10 phones, I am uncertain what VLANS bring to the table. If you are trying to segregate voice for security reasons, then I get it, but otherwise, there is no practical benefit in an install this small. There are a number of switch manufacturers that have an auto-voice VLAN function in which they will create the VLAN and then apply QoS to same, but QoS is only applied when the switch senses congestion on the LAN and is otherwise idle.

As you mention the VPN being site to site and IPsec, I assume you have added the remote local networks into the UCM, PBS settings, SIP settings, NAT, local networks? As they are on a VPN, they will appears as local device, but the UCM needs to be told this.

You should be able to use a ring simultaneously with only 10 phones and I assume not all 10 are in the RG (you said most).

While I don’t know if the LAN may have congestion issues, you might consider trying to take the path of least resistance. Given that you apparently have some remote phone and given the VPN reference, and because this is what appears to be your first go at this type of system, my take is to start off as simply as possible to get a feel for what happens and how the system responds and then, if necessary, you can add the more technical functions if and when needed. If all 10 phones were on a call at the same time, the bandwidth needed to accommodate this is only ~1mb. I assume a GB LAN.


Thanks for the response Larry,

Thanks, I thought I linked to that step. Anyways that isn’t a current issue.

It was a) forgot about whitelisting being on under System Settings> HTTP Server, could only remember Fail2Ban. Added the local VPN Pool, access granted. Thanks.

This was more a commentary. Trying to balance how comfortable the users and callers feel. Switched the RG back to ring simultaneously and had extensions ringing another 15+ seconds after the line was answered, and eventlist may no longer be showing as subscribed. Setting to ring in sequence will end the phantom rings… but yeah unless the ring in order timing is really short that can cause its own issue.

Switched back to one eventlist. From inside UCM I just watched subscribers drop from 7 to 0 (as I was trying to see which extensions weren’t subscribed). Waited until I had 8 subscribed again, then called the ring group. Phones seem to have left the eventlist subscription while the call was being answered, ie no longer listed as subscribed, and extension that answered is showing red on a few phones but not all (despite their not being sucscribed). A few minutes later one extension is re-registered as a subscriber, but is not showing that another extension is active on a call…


VLANs are indeed for security.