cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2095
Views
0
Helpful
9
Replies

Problems with Polycom IP Phones and Cisco 881W - router blocking offsite server?

Rob S
Level 1
Level 1

I am trying to setup several Polycom IP phones (331 and 650) to an offisite Asterisk PBX in an office with a Cisco 881W router and having problems.

Initially, all phones registered fine, but then all dropped registration after about an hour.

What we noticed was that the server would ping the phones (102 OPTIONS) and after a while, it wouldn't get past the router so it would keep retransmitting, eventually just dropping the registration.

Rebooting the phones did not help, but did show that when the phone attempted to register, the response seems to be blocked by the router (getting 401 Unauthorized on the server response in the asterisk log).

We turned off SIP ALG on the router, and have set the local sip port on each phone to a different port, thinking it would avoid any conflicting port issues, and all of the phones registered fine.  For 2 hours.  Then they all started to go down with the same issues.

Now some are staying up, and others are going down, with no discernable pattern (all have same config, other than the local sip port).

Just to test, we even opened up all ports on the router to my server, but that made no difference so we closed it all up again.

I brought the phones home and one went to another person's home, and they worked fine outside of the office, so I'm thinking it has to be the 881W.

Has anyone had these issues, and more importantly, resolved them?

Just in case it helps, I attached some log snippets showing the retransmitted ping (not exciting) and the register/unauthorized response.  Removed the ip addresses to protect everything.

FYI, I am not the Cisco tech on this and have no access to the router directly.  I'm the phone/PBX side of things but looking for answers where their IT/Cisco guy wouldn't.  Google was not particularly helpful that I could tell either.

 

*EDIT*

More info I should have added earlier.  The phones are now set with a 30 second NAT keepalive and server expire times were at 3600, which would indicate the first Register worked but the second was blocked (with the 2 hour registration death).  I'm playing with different expire times to see how they fare.

1 Accepted Solution

Accepted Solutions

Hi Rob,

 

If SIP is impacted by ALG, then you router guy is doing some inspection. If inspection is off, SIP won't be impacted by ALG config.

 

I have been doing SIP registration through IOS CBAC and Cisco ASAs for long time and never had problems as long as I am bypassing SIP messages properly.

 

I am really interested to look at the router config.

View solution in original post

9 Replies 9

Hi,

 

Do you have the astriex server and phones on seperate VLANs

Hi Mohammed,

They only have a single VLAN defined (not sure if on router or on their Cisco 2950 switch) with everything on it, although Asterisk is hosted off site.

I have managed to figure out a workaround that seems to be working right now.  I changed the server register expiration on each phone to 1 minute, so the phones will all re-register every minute.  That seems to keep the phones active as well as allows calls in to the phones.  I had tried with a register of 2 minutes and qualify of 60 seconds, but that just resulted in the phones looking like they were alive, but calls would not always go through to the phones (presumably blocked by router again).

I do still see some pings or responses from Asterisk being blocked by the router, but the second register (immediately after) seems to work, and that's enough to keep the phones online.

I'm not a big fan of this workaround (register every minute seems like overkill and unnecessary, albeit small, bandwidth) and ideally would like to just have the router stop denying my server.  Their Cisco guy can't think of anything else to check, and I'm just clueless about Cisco routers.

The one thing he mentioned but we didn't try was to map ports on the router to each phone, but that seems unnecessary since I've already assigned a different local port to each phone, and even he said that there is no guarantee it would work (and cost the customer more money for him to do it).

 

Hi Rob,

 

I agree that this workaround isn't ideal. I would like to see your router config as it looks that there is SIP inspection running which is causing this problem. Usually it is preferred to turn SIP inspection off as we have seen many problems with stateful devices inspecting SIP messages (CBAC, IOS IPS, ZBW).

 

 

Thanks Mohammed!

I would also like to see the router config. :)  As I said, I'm not their router guy, and their IT guy/company keeps that stuff locked down tight.  

I will pass along the SIP Inspection idea though and see if that works.  It sounds promising.

Cheers,

Rob.

Hi Mohammed,

Router guy was away for 2 weeks, so wasn't able to test until today.  

Turning off SIP Inspection doesn't seem to work entirely. We turned SIP Inspection off and then I changed the Register expiry on 2 phones to 5 minutes and 20 minutes respectively.  After an hour, the 20 minute phone has been ok.  But the 5 minute phone has dropped twice, both times after about 2 minutes.

Can't see any rhyme or reason for it either.  They are the same model of phone with the same configuration, other than the port number and expiry time.

This is also the same behaviour I noticed before when SIP Inspection was on, so not sure if it actually did anything.

I am testing on a few more phones now (total 5) with different registration expiries to see which behaviour sticks.  If it is only the one phone dropping registration then I'll live with that one having constant registrations.  It's a common room phone anyway.  
 
Also, when we turned off SIP ALG, all of the phones dropped.  Had to turn it back on to get the phones to re-register.  Router guy said the router would only allow SIP traffic on 5060 if ALG was not on.

Nope, the 3 added phones went down after less than 5 minutes after registration (second or third registration anyway).  That one phone at 20 minutes expiry is still going strong though for some reason, even on a non-standard port.

Seems like I may just be stuck with frequent registrations.  And I'll just avoid Cisco routers from now on.

 

Hi Rob,

 

If SIP is impacted by ALG, then you router guy is doing some inspection. If inspection is off, SIP won't be impacted by ALG config.

 

I have been doing SIP registration through IOS CBAC and Cisco ASAs for long time and never had problems as long as I am bypassing SIP messages properly.

 

I am really interested to look at the router config.

We finally got it, although not sure exactly what did it.

We turned off SIP ALG again and they made changes to the ACL.  Works fine after that.  Not about to go back and figure out which one fixed it, but it works.

Thanks for your input.

Great news. Looks my feeling was correct.

 

Please remember to rate useful posts and mark the question as answered :)