Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3864
Views
0
Helpful
10
Replies

cisco spa 51x and 50x Failed - Not Reachable for firmware 7.6.2b , 7.6.2c , 7.6.2d only

Go to solution
inforoutedit
Level 1
Level 1

‎05-12-2018 11:21 PM - edited ‎03-21-2019 09:12 AM

when i upgrade my spa phones 514G and 504G to any of these firmware 7.6.2b , 7.6.2c , 7.6.2d i got

Failed - Not Reachable . for any other firmware version like  7.6.2a the phone works fine . with same config , same network and same every thing , anyone can test this issue and tell me why i am having this . i am doint this upgrade to check if the new firmware is fixing a bug which is :

 

disable dialing missing number when offhook

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to inforoutedit

‎05-14-2018 01:22 AM

My suspection gets confirmed.

Phone starts TLS handshaking sending Client Hello. It wish to start TLS 1.0 session using either TLS_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_128_CBC_SHA cipher. Server is immediately refusing it responding "Handshake Failure". It mean "unable to negotiate an acceptable set of security parameters given the options available".

So server limits are behind the issue. It seems the support for some protocol or cipher suites known to be insecure or broken has been removed from phone firmware, but server is so ancient to support more recent ciphers. E.g. server supports no TLS 1.0 protocol while phone's support for insecure SSLv3 protocol has been dropped. Or cipher lists on phone and server side have empty intersection.

 

All at all - unless server will be upgraded to something less ancient (or, may be, just reconfigured to allow newer ciphers/protocols), you can use no newest phone firmware to speak with it.

You may consider to remove attachment from your previous comment. It contain packets unrelated to the issue and they may reveal information you wish not to disclose. I will attach filtered version of capture containing relevant packets only here.

 

This post contain information related to other's site thus it may contain information considered Sensitive or Confidential.

 

 

View solution in original post

SPA514G-10-1-3-84-filtered.pcapng
0 Helpful
10 Replies 10

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni

‎05-13-2018 12:53 AM

I had used 7.6.2b on my SPA508G ando now I have 7.6.2.d running on it. I has been affected by no issue during upgrade from neither 7.6.2a nor 7.5.5.

I don't know what you mean "not reachable". During firmware upgrade ? Durign access to WWW UI ? During attempt to establish incoming call ?

Turn on syslog&debug logs and catch them. They may reveal the issue cause.

0 Helpful

Go to solution
inforoutedit
Level 1
Level 1
In response to Dan Lukes

‎05-13-2018 01:20 AM

i get this message in the :

Ext 1 Status Registration State:    Failed - Not Reachable 

 

after finishing the upgrade and waited for the registration to happen

 

i will check enabling the syslog and update here

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to inforoutedit

‎05-13-2018 01:26 AM

OK, so the issue is related to SIP registration. Then catch the SIP packets (and ICMP, of course) between phone and upstream PBX to analyze the issue. 

For example, "broken" firmware may use other source port to send messages and registration gets rejected by a firewall, incorrect configuration of phone has been tolerated by former firmware, but its not accepted by current one, ...

0 Helpful

Go to solution
inforoutedit
Level 1
Level 1
In response to Dan Lukes

‎05-13-2018 02:55 AM - edited ‎05-13-2018 03:05 AM

ok i am getting these err using syslog debug 3

 

 

05-13-2018 13:09:48 Local0.Info 10.1.3.84 ### Get Sip Tcp Port = 5063
05-13-2018 13:09:48 Local0.Info 10.1.3.84 Getting a SIP TCP port for line 0
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect Failed; Backoff 2000 ms
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TLS:Connect Failed -1
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TLS:Connecting ...
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect=0, errno=42
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TCP:Connecting...(11)
05-13-2018 13:09:46 Local0.Info 10.1.3.84 ### Get Sip Tcp Port = 5063
05-13-2018 13:09:46 Local0.Info 10.1.3.84 Getting a SIP TCP port for line 0
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect Failed; Backoff 1000 ms
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TLS:Connect Failed -1
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TLS:Connecting ...
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect=0, errno=42
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connecting...(11)
05-13-2018 13:09:45 Local0.Info 10.1.3.84 ### Get Sip Tcp Port = 5063
05-13-2018 13:09:45 Local0.Info 10.1.3.84 Getting a SIP TCP port for line 0
05-13-2018 13:09:45 Local0.Info 10.1.3.84 +++ ts 0x94fcc6b0 clean 0 9502a300 9502a470 bcts:1 nRef:0
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP:RegFailed;Retry in 30s
05-13-2018 13:09:45 Local0.Info 10.1.3.84 SIP_tsClientEventProc ts:0x94fcc6b0 event 60 state:1
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect Failed; Backoff 500 ms
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TLS:Connect Failed -1
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TLS:Connecting ...
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect=0, errno=42
05-13-2018 13:09:45 Local0.Info 10.1.3.84 [0]SIP/TCP:Connecting...(11)
05-13-2018 13:09:45 Local0.Info 10.1.3.84 ### Get Sip Tcp Port = 5063

 

same config for both VOIP server for all phones ( TLS ONLY ) and as i said all phones works fine using firmware 7.6.2a   .

 

what do you think of these err messages ?

 

 

btw there is no FW between the VOIP and the Phone andno VLANS

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to inforoutedit

‎05-13-2018 03:46 AM

@@inforoutedit wrote:
05-13-2018 13:09:48 Local0.Info 10.1.3.84 ### Get Sip Tcp Port = 5063

05-13-2018 13:09:48 Local0.Info 10.1.3.84 Getting a SIP TCP port for line 0
05-13-2018 13:09:46 Local0.Info 10.1.3.84 [0]SIP/TCP:Connect Failed; Backoff 2000 ms

 

what do you think of these err messages

They are clear - TCP connect has failed. So, now you need to debug TCP connection setup. Catch the packets (full content of packet). I will allow us to analyze why the TCP connection setup is not successful.

 

I suspect TLS parameters behind the issue, but it's just blind shot.

0 Helpful

Go to solution
inforoutedit
Level 1
Level 1
In response to Dan Lukes

‎05-13-2018 06:43 AM

can you tell me how to enable debug TCP connection setup? 

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to inforoutedit

‎05-13-2018 06:47 AM

I told it. Capture packets between phone and PBX. Full content of packets. Don't forget ICMP.

0 Helpful

Go to solution
inforoutedit
Level 1
Level 1
In response to Dan Lukes

‎05-13-2018 11:36 PM - edited ‎05-14-2018 03:52 AM

here is a complete Packets between the phone and the VOIP using the PC-SW port mirror and wireshark 

VOIP server IP is 10.1.3.202

SPA Phone ip is 10.1.3.84

 

 

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to inforoutedit

‎05-14-2018 01:22 AM

My suspection gets confirmed.

Phone starts TLS handshaking sending Client Hello. It wish to start TLS 1.0 session using either TLS_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_128_CBC_SHA cipher. Server is immediately refusing it responding "Handshake Failure". It mean "unable to negotiate an acceptable set of security parameters given the options available".

So server limits are behind the issue. It seems the support for some protocol or cipher suites known to be insecure or broken has been removed from phone firmware, but server is so ancient to support more recent ciphers. E.g. server supports no TLS 1.0 protocol while phone's support for insecure SSLv3 protocol has been dropped. Or cipher lists on phone and server side have empty intersection.

 

All at all - unless server will be upgraded to something less ancient (or, may be, just reconfigured to allow newer ciphers/protocols), you can use no newest phone firmware to speak with it.

You may consider to remove attachment from your previous comment. It contain packets unrelated to the issue and they may reveal information you wish not to disclose. I will attach filtered version of capture containing relevant packets only here.

 

This post contain information related to other's site thus it may contain information considered Sensitive or Confidential.

 

 

SPA514G-10-1-3-84-filtered.pcapng
0 Helpful

Go to solution
inforoutedit
Level 1
Level 1
In response to Dan Lukes

‎05-14-2018 03:54 AM

Thanks for your great info and help , i will upgrade the TLS on the server 

0 Helpful
Customers Also Viewed These Support Documents