atcomsystems.ca/forum Forums TDM Business Telephone Systems Panasonic Telephones & Systems site to site VPN using SonicWALLs with TDE-200 & KX-NTxxx only some phones drop

Hi.

Maybe someone can suggest something we have not thought of to try.....

We are having issue with our KX-DT series phones with our TDE-200 at our remote office using SonicWALL site to site VPN. IP phones work at HQ no problem. Phones can do 1 of 3 things.
1)There are two phones that work without issue.
2)There are three phones that randomy REBOOT
3)There are four phones that will 'lock up' no response from any buttons, and sometimes will eventually REBOOT, other must power down(unplug)

What gets me is there are 2 phones that work without issue. I have tried and tried to find out what is different about these 2 but nothing I have found yet.

One side is an NSA240 other side is a TZ190 Enhanced.
192.168.1.183 is the PBX
192.168.1.199 is the NSA240
192.168.0.168 is the TZ190

Remote site phones are ALL DHCP on the 192.168.0.x and get a 255.255.255.0 mask and 192.168.0.168 default gateway, making these anything else does not connect to the PBX.

My issue sounds a lot like https://sundance-communications.com...e_Sonicwall_VPN_for_Panasonic#Post544744 excpet, phones do get two way audio before they reboot or lock up.

We have;
Ran the VOIP test tool without issue.
Updated the NT phones to 2.012
Updated the TDE to v6.003
Updated SonicOS on both firewalls.
Plugged problem phone direct into tz190 to eliminate the HP switch between the TZ190 and NT phones
Tried brand new phones(registering them at HQ) and they just REBOOT

My dealer is stumped and so am I. Short of re initializing the TDE, I am unsure what else to try. What, are the NICs in two of our NTs different than the others?

Thanks for any suggestion.
-thehoovie

Anyone speak to Pana TS??

Have you tried getting wire shark traces. You could get a dumb hub or one with a mirror port and connect to the problem phone to see what happens

Phones will show poor LAN if they can't see the system not reboot so it sounds like it is loosing connection for a short time what bandwidth is on the VPN what codex is on the nt phones.

I would try the dsp card if you can get your hands on one to try

After that it sounds like the VPN

Thanks for suggestions.

Yes, they said that phones only reboot(or should) if they loose connection to the PBX. They suggested to find out whats different about the connection to these two devices. But I can move them to locations and move problem phones to working phone locations and devices have the same results. They suggested to try a system wipe if doing a packet capture does not help.

....we did not get all our IP phones at the same time, some we got when TDE on v2, upgraded to v3 added some phones, upgraded to v4 added more phones... i was thinking maybe the DB is wacked somehow with certain slot/port that were registered in old versions not working over the VPN, but I moved the MAC addresses around and same results.


I have done packet captures from the sonicwalls and a simple breif wireshark capture, but yes, I do want to set the HP switch we have to mirror mode for a port and get all data sent to<->from a phone on the wire.

Yea, phones do not read poor lan like when they cant even see the PBX, but connect just fine, then sometime later REBOOT.

This is a speed test from a desktop on one end to a desktop on the other end of VPN, bandwidth should be ok, HQ has DIA Fiber, remote office has Comcast Coax(shared);
Date: 01/17/2014
Time: 16:50:26
Program Parameters: 0
High Performance Timer: 0.0000002794
Server IP: 192.168.1.155
Server Port: 4456
Test File: **MASKED**
Write Time = 3.5941680 Seconds
Write Speed = 4.4516560 Mbps
Read Time = 1.9053114 Seconds
Read Speed = 8.3975760 Mbps

But I do not suspect bandwidth, I mean, if it was, eventually one of the 2 good working phones would disconnect, no? and they don't.

what codex is on the NTs? What is this? How do I find out? IP Codec Priority in programming is set to G.722 and all sample times are set to 20ms

Try a DSP card? Like a different one? I should be able to get one to test. We have a great relationship with our Pana Vendor.

Could it be the VPN, you bet. Current release notes for one of the SonicWALL versions talk about how with Cisco IP phones, calls can only be made if initiated from a certain end. While these are custom Panasonic VOIP devices and use their own technology, its possible. I have a REQ in to replace the TZ190 with a newer SonicWALL as the TZ190 is EOL in July. But that won't be for a few months until approved.

We previously had another strange issue....
IP Phones <-> VPN <-> Digital Phones = Fine
IP Phones <-> VPN <-> CO lines = Fine
IP Phones <-> VPN <-> Other IP phones = Not Fine (one way audio Remote site could talk to HQ but HQ voice never got to remote site phones)
This was resolved by simply disabling keep-alive on both ends of the VPN config in the SonicWALLs.

Well, I redid the NSA240 config. It was an old config file with lots of old Address objects that I could not delete. Was a TZ150 STD Upgraded to a TZ190 Enhanced further upgraded to the NSA240. I also PortShield the x4 on the NSA240 and plugged the PBX directly into the SonicWALL to try to eliminate travel time(was SonicWALL -> HP switch -> 3Com Switch -> PBX ) I should know how well this worked by end of day today.

So my NSA240 reconfig did not work.
I later went into both units, I set up address objects and NAT policies to allow for one phone at remote site to use Public WAN to connect to Public IP mapped to the PBX.(To get at least one more phone at the remote site working 100%) Then I set up lots of firewall rules.
(UDP 5060 5061
UDP 8000 8063
UDP 16384 16482
UDP 12000 12255
UDP 9300 9301
UDP 1717 1720
UDP 123 123
UDP 161 161
UDP 12000 12255
TCP 10000 10447
TCP 1717 1720
UDP 35300 35300
UDP 2727 2727
UDP 2427 2427
UDP 33321 33321
UDP 33333 33334
UDP 5004 5006)
Then I was having issues with intermittent audio inbound to the remote site. I was seeing PBX traffic using ports that were not documented anywhere and I had not allowed, there were calls using random ports in the 16483-17000 range and between 12255 and 12300. Why are phones and the PBX using these ports but they are not listed in Panasonic docs? So, I disabled all the NAT and Firewall rules, and BAMB - All the phones just stated working over the VPN!

I changed nothing for the VPN settings. All I did was create these services and the IP objects, enabled them, did a few tests and captures, then disabled the new rules I added and it started working over the VPN.

I am happy it is working. I don't understand why it was not working before and I don't understand why it is working now.