Phone users over two network segments

Discussion in '3CX Phone System - General' started by boffin, Jun 25, 2008.

Thread Status:
Not open for further replies.
  1. boffin

    Joined:
    Jun 25, 2008
    Messages:
    24
    Likes Received:
    0
    I have a problem with VOIP phone users split over two network segments. I have installed 3CX server version 6.0.612, and previously tried with version 5.1 with the same results.

    Segment 1 which I will call the "protected" network also houses the 3CX server. This is a 192.168.38.x network with the 3CX server on 192.168.38.1. All voice users on this network have no problems with their voice calls.

    Segment 2, which I will call the "DMZ has more phone users. This is a 10.1.1.x network

    Between these two segments is a firewall, with an separate NIC interface on each of the segments. The firewall's two interfaces for the respective networks are 192.168.38.15 and 10.1.1.254

    There is no port restrictions going from the "protected" network to the "DMZ" network
    In my frustration to resolve the problem, I have now opened ports 500 through to 35000 for both TCP and UDP from the "DMZ" to the 3CX server on the "protected" network, with the intention of closing this down once the system worked.

    VOIP callers within the "protected" network can make calls to each other without problem
    VOIP callers on the "protected" network can call users on the "DMZ", the receiving rings, but with audio only in the outbound direction
    VOIP callers on the "DMZ" cannot call anyone, as the 3CX server terminates the calls immediately and creates the log errors which I have attached below

    I have tried using both the 3CX software client, and Linksys SPA942 phones - both respond the same way. It would be my hope to use SPA942's going forward rather than the software client. Note that both devices register without problem on the 3CX server from the DMZ

    I have configured both "DMZ" client devices with the SIP server being 10.1.1.254, which is the firewall NIC. This is forwarded to the 3CX server on the "protected" network. Note in the log below, EXT 10 is on 10.1.1.68 and 12 is on 192.168.38.88. I note that the logs don't show this correctly as they show EXT 12 being on the NIC of the firewall



    9:09:18.281 Call::Terminate [CM503008]: Call(6): Call is terminated

    19:09:18.281 CallCtrl::eek:nIncomingCall [CM502001]: Source info: From: 6; To: [sip:10@10.1.1.254];tag=1477d8e5422ef023o0"12"[sip:12@10.1.1.254]

    19:09:18.281 CallCtrl::eek:nIncomingCall [CM503013]: Call(6): Incoming call rejected, caller is unknown; msg=SipReq: INVITE 12@10.1.1.254 tid=-cca4e797 cseq=INVITE contact=10@10.1.1.68:5060 / 102 from(wire)

    19:09:17.625 evt::CheckIfAuthIsRequired::not_handled [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    INVITE sip:12@10.1.1.254 SIP/2.0
    Via: SIP/2.0/UDP 10.1.1.68:5060;branch=z9hG4bK-6ad60ef3
    Max-Forwards: 70
    Contact: [sip:10@10.1.1.68:5060]
    To: "12"[sip:12@10.1.1.254]
    From: [sip:10@10.1.1.254];tag=1477d8e5422ef023o0
    Call-ID: 304b718d-6b4bef9b@10.1.1.68
    CSeq: 101 INVITE
    Expires: 240
    Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
    Supported: replaces
    User-Agent: Linksys/SPA942-5.2.8
    Content-Length: 0

    19:09:17.625 evt::CheckIfAuthIsRequired::not_handled [CM302001]: Authorization system can not identify source of: SipReq: INVITE 12@10.1.1.254 tid=-6ad60ef3 cseq=INVITE contact=10@10.1.1.68:5060 / 101 from(wire)



    Help would be much appreciated, as I have "spent hours going around in circles"
     
  2. archie

    archie Well-Known Member
    3CX Support

    Joined:
    Aug 18, 2006
    Messages:
    1,299
    Likes Received:
    0
    You see, this INVITE is not addressed to your PBX (which has addres 192.168.38.1), but to some entity (10.1.1.254) which is not known to PBX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. boffin

    Joined:
    Jun 25, 2008
    Messages:
    24
    Likes Received:
    0
    Thanks Archie

    The firewall sorts out the path the 3CX server, by virtue of its inbound tunnels. - hence why we have set the SIP proxy on the external phones to the firewall's external interface IP, rather than the 3CX server IP.

    Do you know if there is someway of configuring the SPA942 and/or the 3CX software client make the INVITE appear correct?
     
  4. archie

    archie Well-Known Member
    3CX Support

    Joined:
    Aug 18, 2006
    Messages:
    1,299
    Likes Received:
    0
    You can try. I don't have SPA942 at the moment, but I'm looking at SPA962 configuration at the moment.
    If you log in as administrator, switch to advanced mode and open settings of Ext 1 (for example), you will find section "Proxy and Registration".
    Set "Proxy" to be your PBX address: 192.168.38.1, and "Outbound proxy" to be address of your gateway (10.1.1.25), and "Use Outbound Proxy" to "yes"
    Now you should have normal SIP signalling at least. If SPA is clever enough you will also have audio OK. If not - you should look at RTP settings of SPA also. I didn't find any settings for it though.
    If it doesn't help - you can use 3CX Tunnel between networks. It is what tunnels has been designed for.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.