I am experiencing issues registering my IP phones with CUCM 9.1 since the introduction of a FW. If you see the attached diagram we have added a firewall put the DHCP server on an interface in a seperate zone with option 150 an since doing this the phones will not register. The phones have recieved a DHCP IP address which is reachable from the CUCM server, and is viewable on the CUCM phones configuration interface and is displaying as not registered?
Before we had everything hooked up to a switch with the no switchport seperating the ip subnet which are present with the addidion of the FW, and this worked, the FW has it rules currently set to any any so shouldn't be blocking any traffic. Is this a problem perhaps caused by the IP helpers on the FW?
On the phones it is dispaying phone not registered, problem with VPN? The phones haven't had any prior configuration, we have deleted them from CUCM and tried re-adding them since adding the FW.
You have said that the phones have received an IP address. The next thing that the phones will try to reach is the tftp server. Do you see them downloading the firmware files from the tftp server?
What do you see on the status messages of the phone when you navigate to Settings -> Status -> Status messages, apart from the vpn error?
Cool. So the phone is reaching the tftp server and getting the firmware files. It should then also have pulled the configuration file that was created for it and configure itself based on those settings, and reach out to the CUCM servers configured on that file.
Also, can you check if port 2000 has been enabled on the firewall? Maybe when the phone is trying to register to CUCM the packets with dest port 2000 are getting dropped.
Is this a Juniper firewall? There have been issues where Juniper firewalls are unable to understand SCCP ver 17 and above and so they drop the packets.
Can you pull the configuration file for the phone from the CUCM and attach it here?
You can pull it from command prompt on the PC using:
tftp -i <ip address of tftp server> get SEP<mac address>.cnf.xml
If tftp is not enabled in your PC, you can enable it using Control Panel ->Programs and Features -> Turn Windows Feature on or off -> tftp client. This is for Windows 7.
Thanks again for the reply so just to go through your questions-
There is no of any ports lock down on the FW all rules are set to any any.
The FW is a Juniper SRX, however we're using SIP not SCCP.
I will try to pull the config down tomorrow when I get back in the lab.
Again many thanks for your help.
In photo1, the phone is getting the config file correctly and updates trust list after this. Post this, it is not registering to the call agent.
In photo2, the phone is not getting the config file at all. it's unable to find this.
i think packet captures from the phone should give us the answer.
Many thanks for all you help, I have finally got to the bottom of this issue!
The application layer gateway will not let the phones register, I don't know why this is however when I turn it off the phones register.
I will raise a case with Juniper TAC to seek advise.
Thanks again for all your help.