Block remote tunnel on LAN?

Discussion in '3CX Phone System - General' started by ZacSC, Oct 16, 2017.

Thread Status:
Not open for further replies.
  1. ZacSC

    Joined:
    Jan 21, 2016
    Messages:
    16
    Likes Received:
    1
    Hello,

    I am trying to diagnose an issue some clients are having, details below.

    -Users are using a variety of devices, laptops, iphones, android phones etc.
    -Phone system is setup on our local lan @ 172.16.1.35 but some users also use it externally.
    -Version 15.5.5
    -Firewall rules are all setup and work just fine.
    -For some reason, some users (usually mobile phones) are unable to connect to the phone system when they are connected to our local LAN (via wifi). If I open up the Disallow use of extension outside the LAN and Block Remote Tunnel Connections then it works but when they are checked it does not. For example, in front of my I have an iPad, Android phone and laptop, both the laptop and ipad work great but the android phone will only connect when I have those external options un checked. Everything has a local IP on the same network but some clients will not connect, I noticed the same thing with a users iphone earlier today as well. Any ideas?

    Here is the error from my android phone.
    SIP Server/Call Manager ID: 12291
    SIP request (REGISTER) from 127.0.0.1 was rejected. Reason: Block remote tunnel is ON.
    Message:
    REGISTER sip:127.0.0.1:5060;transport=UDP SIP/2.0
    Via: SIP/2.0/UDP 127.0.0.1:5080;branch=z9hG4bK-524287-2---PjRRZd.BbC2kh9twzxYTlYkil2hnV96v6f;rport=5080
    Via: SIP/2.0/UDP 172.16.96.36:46132;branch=z9hG4bK-524287-1---tunneltid;rport;tnlid=clnt.1-gcjzw6oots.gk86z1ds0pg7btmx.-c68
    Via: SIP/2.0/TCP 172.16.96.36:50195;rport;branch=z9hG4bKPjRRZd.BbC2kh9twzxYTlYkil2hnV96v6f;alias
    Max-Forwards: 69
    Record-Route: <sip:3cxBridge@127.0.0.1:5080;user=proxy;uri=clnt.1-gcjzw6oots.gk86z1ds0pg7btmx.-c68>
    Path: <sip:3cxt@127.0.0.1:5080;ob>
    Contact: "Zac Applegate" <sip:4030@172.16.96.36:50195;transport=TCP;inst="4d623279";rinstance=1-gcjzw6oots.gk86z1ds0pg7btmx.-c68;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-0000e922f243>"
    To: "Zac Applegate" <sip:4030@3cx.sandalschurch.com>
    From: "Zac Applegate" <sip:4030@3cx.sandalschurch.com>;tag=svPllG56PG0dftkMISNfCchm7Q3-R0wX
    Call-ID: 91weUYkprIvDYUecK9axI9t1vRdMDjpJ
    CSeq: 37554 REGISTER
    Expires: 120
    Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
    Proxy-Authorization: Digest username="4030",realm="3CXPhoneSystem",nonce="414d535c0ff57f1728:ead1f7b68f6269ac20e1e28355277228",uri="sip:3cx.sandalschurch.com;transport=tcp",response="35bd8250e05b500de0cc51964e05871f",algorithm=MD5
    Supported: outbound, path
    User-Agent: 3CXPhone for Android 15.1.90
    X-Push: <https://android.googleapis.com>;regId="FCM#fpUuDB6YEEE:APA91bFLHqcYpy_x-PV6zjq65BUsFAN6YaryxPqtoC_BAEFs10qaTG5lycf4--ign3Z3QnC3jRhaF_7VFYHfuH9QwrYAOJnXZjXSi_ItoyQW6-xBpxy0zexBf5Uxffs7z2A9yHIRHpKg";inst="4d623279"
    X-MakeCall: call;answer;drop;activate;divert
    Content-Length: 0
     
  2. Saqqara

    Saqqara Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    1,094
    Likes Received:
    165
    Can the devices resolve 3cx.sandalschurch.co.uk on the internal network, if so is it the local IP address of the server

    Has the internal IP address been blacklisted
     
  3. ZacSC

    Joined:
    Jan 21, 2016
    Messages:
    16
    Likes Received:
    1
    Yes I have local dns servers and that domain, 3cx.sandalschurch.com, is setup to point to 172.16.1.35. I use 3cx.sandalschurch.com to manage the phone system locally.
     
  4. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    6,016
    Likes Received:
    420
    When devices are not connecting have you checked if these devices can reach other network resources or the internet. Make sure 3g/4g is off when you test so you are sure devices are connecting through WiFi.
     
  5. ZacSC

    Joined:
    Jan 21, 2016
    Messages:
    16
    Likes Received:
    1
    Ya I did do that during my last testing.

    Am I wrong in assuming that the error I posted means that the phone system itself thinks the device is remote and therefore denying it? Looking at that error thats what I was thinking and that its not a network / router issue.
     
  6. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    6,016
    Likes Received:
    420
    When a client tries to connect to the server it will try using the local address first, if that fails or the attempt times out then it will try to connect from the public address. So i would think that either the client does not receive an answer and then tries to connect publicly or if you have split DNS configured (same local and public FQDN) the clients resolve the public IP and try to connect to that
     
  7. ZacSC

    Joined:
    Jan 21, 2016
    Messages:
    16
    Likes Received:
    1
    So here is another set of examples. The first is me getting denied, the second is turning back on the external settings and getting through.

    SIP Server/Call Manager ID: 12291
    SIP request (REGISTER) from 127.0.0.1 was rejected. Reason: Block remote tunnel is ON.
    Message:
    REGISTER sip:127.0.0.1:5060;transport=UDP SIP/2.0
    Via: SIP/2.0/UDP 127.0.0.1:5080;branch=z9hG4bK-524287-2---Pj.AOlogcoNY6PzTP--WefTMDCOXRgjX9M;rport=5080
    Via: SIP/2.0/UDP 172.16.96.36:38653;branch=z9hG4bK-524287-1---tunneltid;rport;tnlid=clnt.1-b9k8vwdbg9aabhesgdze6e01wt2rbqjy
    Via: SIP/2.0/TCP 172.16.96.36:50195;rport;branch=z9hG4bKPj.AOlogcoNY6PzTP--WefTMDCOXRgjX9M;alias
    Max-Forwards: 69
    Record-Route: <sip:3cxBridge@127.0.0.1:5080;user=proxy;uri=clnt.1-b9k8vwdbg9aabhesgdze6e01wt2rbqjy>
    Path: <sip:3cxt@127.0.0.1:5080;ob>
    Contact: "Zac Applegate" <sip:4030@172.16.96.36:50195;transport=TCP;inst="4d623279";rinstance=1-b9k8vwdbg9aabhesgdze6e01wt2rbqjy;ob>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-0000-0000-0000e922f243>"
    To: "Zac Applegate" <sip:4030@3cx.sandalschurch.com>
    From: "Zac Applegate" <sip:4030@3cx.sandalschurch.com>;tag=4NQd-oWxSypgmCGvDGwEBTUsR55QI7dK
    Call-ID: W0I.90lGaJkj1ZPeR5LqDXmLuoDjWSBW
    CSeq: 54952 REGISTER
    Expires: 120
    Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
    Proxy-Authorization: Digest username="4030",realm="3CXPhoneSystem",nonce="414d535c0ff9abf293:b63d9ddcdfc78af5a577bf4fcac346ca",uri="sip:3cx.sandalschurch.com;transport=tcp",response="c1c7ec09f924a29ac96e649cebc6ccf9",algorithm=MD5
    Supported: outbound, path
    User-Agent: 3CXPhone for Android 15.1.90
    X-MakeCall: call;answer;drop;activate;divert
    Content-Length: 0


    SIP Server/Call Manager ID: 4101
    Extension 4030 is unregistered, removed contact: sip:4030@172.16.96.36:50195;transport=TCP;rinstance=1-ptiulceoewkdhffcu5ivu5wsu3tlhlob;ob;inst="4d623279"
    10/19/2017 2:40:14 PM
    SIP Server/Call Manager ID: 4101
    Extension 4030 is unregistered, removed contact: sip:4030@127.0.0.1:5488;rinstance=af26382c0bbe8106
    10/19/2017 2:40:14 PM
    SIP Server/Call Manager ID: 4101
    Extension 4030 is registered, contact: sip:4030@127.0.0.1:5488;rinstance=f5c6aa3e8ac255c6
     
Thread Status:
Not open for further replies.