VoIP and SIP Module - Phones not registering

Ok. So I have a unique situation. We have implemented VoIP in our network and I have everything up and running and working great. Our XG currently has the SIP Module enabled and we are working. We have another company working within our network that has their own VoIP provider and their phones will not provision. They are standard Yealink T42S devices and they use ATT with ringcentral. I am trying to look at the logs, but from what I've read with the SIP Module enabled, I cannot see log information for that traffic specifically port 5060. I can see the device request time on port 123, and the time sets, but when it tries the request for registration, it never get a response. I have created and exception for ringcentral to bypass https checks and policy checks. Are there any logs that can be viewed via GUI or Device Console to see the SIP information? Any guidance or assistance is appreciated.



Added TAGs
[edited by: emmosophos at 10:29 PM (GMT -8) on 26 Feb 2021]
Parents
  • Hi,

    try creating a clientless group for those phones and then create a specific firewall rule. You should be able to see the initial connection in the logviewer files. Almostsonds like the SIP traffic is getting lost in your network?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Reply
  • Hi,

    try creating a clientless group for those phones and then create a specific firewall rule. You should be able to see the initial connection in the logviewer files. Almostsonds like the SIP traffic is getting lost in your network?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Children
  • Thanks for the suggestion. I never really paid any attention to clientless as we always authenticated. I would just build create DHCP reservations for devices and then firewall rules to allow the need traffic for specified traffic. i will let you know if this helps. Thanks again.

  • This did not help. I created the clientless user and added to the clientless group. I created a firewall rule to allow all traffic to WAN, but it still does not register. I see port 123 (Time) go out and the phone updates the time, so I don't think it is a routing issue.

  • Hi,

    please post a copy of your firewall rule and logviewer traffic associated with the rule.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Request to also take a packet capture on XG when VoIP phone tries to register itself on RingCentral server.

    =============================================

    ==> Login to SSH > 4. Device Console

    console> tcpdump 'host <ringcentral server domain/IP address>

    eg.: console> tcpdump 'host 11.11.11.11

    ==> In another SSH session run the below command.

    console> drop-packet-capture 'host <ringcentral server domain/IP address>

    eg.: console> drop-packet-capture 'host 11.11.11.11

    =============================================

    After executing above commands try to register VoIP phone and share SSH output here or in PM.

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • This is what I shows. I picked one of the IPs from their list that I see show up in the logs. Since they have multiple, I assumed this one would be best for the packet capture.

  • In tcpdumps I can see the source port remains same when the request gets sent OUT through PortD2.

    Suspecting the packets going out to 199.255.120.167 IP for SIP(5060) aren’t getting translated with the WAN IP(PortD2 IP).

    If there’s a firewall rule configured with 199.255.120.167 destination then add a lined NAT rule with SNAT as MASQ.

    If there any specific NAT policy configured for 199.255.120.167 destination, then apply SNAT as MASQ on it.

    Attaching a snapshot for reference.

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Ok. I figured it out. The phone was trying to register via port 5090 which is not listed on any of the DNAT rules. I added the port to our default dnat rule and the phone registered. Your tip about the dnat is what made me check those rules. Normally I do not have to modify those as 5090 is not a typical SIP port, but it now works. Thanks again.