Factory reset and possible phone load upgrade blocked by VPN.

Unanswered Question
Apr 27th, 2010

Hi, my company recently deployed a new small office and instead of using global network, networking engineering team policy mandates this site be on an internet VPN. This was supposed to be a non-filtering VPN and the new site have similar connectivity to all kind of traffic like other ones in the global network.

However, I had several problems from having the phones registering at my cluster to (so I have to leave them temporary registered at local gateway)  audio blocking (RTP or UDP being filtered). Some of them had been fixed by network team who says there is no more blocking.

Current phones can boot, get local IP address from switch DHCP and register into CUCM. Tests with calls to and from PSTN work fine. It's still undecided if we can allow on net routes since round time trip is on the limit (VPN concentrator is in NJ while both Call Manager and remote site are in South America...I know it sounds bad instead of regular national network or global MPLS we use but costs and policies mandate VPN).

The issue I'm working on is whenever we factory reset a phone, the process begins it phone booting up, clearing the screen with degradeé but cannot load any file, so it stalls for awhile and reboot begining the process.

The CUCM is 6.1.4-2000-2 and the particular phone is a 7942.

1) I'm getting up details on phone load and all the ports/protocols used, but besides TFTP for configuration which seems to be working fine since phone register fine before factory reset, is there something else I can look for and ask network team to check in VPN and IPSes to make sure there is no blocking? Could the phone be registering fine by using the last know good config file? I have been preparing phones at my site, test it for any problems/defects before sending to the remote site. So if the phone remembers last downloaded TFTP, it would explain why it initially registers into CUCM and later fail if we factory reset it.

2) I'd like to gather evidence that the network is blocking traffic if possible. Is this something I could see using VLT with SDI/SDL files?

Thanks a lot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Aaron Harrison Tue, 04/27/2010 - 13:47


The most concrete way to prove what is happening with these scenarios is to perform a packet capture on both ends (i.e. the LAN side on the remote and HO sites) and compare them.

If traffic is being blocked you will see (for example) RTP sent from a phone to the WAN/VPN router, that doesn't emerge at the far end. You may see SCCP signalling packets that should have their embedded Layer 7 IP addresses translated that do not... trying to monitor these things from the CCM SDI/SDL logs is tricky, as you will only see what the phones are told to do - often not what they actually end up sending or receiving.



rodmont74 Wed, 04/28/2010 - 06:38

Thanks a lot! I was wondering if update of phone load files are done by TCP/443 against the server or some other port combination (even UDP/69 used for TFTP config files). I should know this better by now, but I haven't been able to find a doc in Cisco guides confirming port used by a hardphone while using updating its firmware. I need to install a PVDM2 at that site in a few days and I'll try to save some traffic before in my office to learn more and compare to what is happening at this VPN site.



This Discussion