Remote Extension Provisioning

Discussion in '3CX Phone System - General' started by greg@summitrad, Jul 6, 2017.

Thread Status:
Not open for further replies.
  1. greg@summitrad

    Joined:
    Aug 15, 2014
    Messages:
    27
    Likes Received:
    0
    We have all T46G Phones, with a few T46S phones recently added. I am in the process of reprovisioning all of our phones. None of the phones on remote subnets (Connected over VPN - not via a Tunnel or SBC.) Previous versions have not had this problem. We are running V15.0 with the latest updates for V15.0.

    I have logging turned ALL the way up. In the past (Prior to V15), I could look at the 3CXManagementConsole.log and it would show me any errors incurred by a phone attempting to register. In V15, all of that is GONE. There is no longer any good information.

    If I bring the phone into this building and provision it on one of our subnets here (we have several) it works. If I attempt to provision across the VPN it fails. Even if I manually put in the account and provisioning link, it still fails. I can manually go the provisioning link in a web browser and add the mac address (followed by .cfg) so it looks like a filename. A config files downloads fine. In fact, if I manually import that config file into the Yearlink phone - it works. It's only the provisioning with 3CX that fails.

    To make matters worse, the default config file for NGINX (why they would go to this on Windows is beyond me, as it's nowhere near as stable as IIS was for us) ALL of the access and error logging is DISABLED by default on NGINX config files for 3CX. So we can't see anything there.

    If I turn on the syslog on the phones, I see the phones (remote phones) attempting to access <mac address>.boot files and y000000028.boot files instead of the actual config file. It's just an absolute crap show that this now fails on V15.

    We're on the correct firmware. We've even been trying to use the base stock T4X provisioning file included with 3cx and get the same results. (We do have two custom templates that we know work.. One that sets the vlan for this building, and one without a vlan for home users. We have made sure that there is no firewalling taking place on either side of the tunnel (Again, it all worked before we went to V15 several months ago). I have no idea how to see the 3CX logging that I used to be able to see showing me the provisioning attempts. I have no idea how to see NGINX access and error logs (so I could see the IP and if it was getting errors from the server). (we've tried older firmware, newer firmware, resetting the phones to factory, reprovisioning from the interface, reprovisioning from the phone's management web page, new phones, existing phones (Same result on T46G and T46S). I've disabled the DHCP and PNP options in the phone interface to rule that out as well.

    On every single remote phone - when I manually add the account, the phone registers and is useable. (Just none of the BLF or fields from the Web Interface show up since it won't provision). Unless we bring them into this building, or, unless I manually download the cfg file and import it into the phone directly. (As I said, this tells me the file and setup is good. - and it tells me my BLF fields and such are good since they are included in cfg file that downloads.). I'm not a fan of installing Wireshark on the server, but that's up next. Just so I can see what is going back and forth between the endpoint and the server (since 3cx seems to have removed all of the available troubleshooting logs we once had..... and the stand alone log viewer just keeps crashing over and over).

    Anyone else have any ideas? Am I missing something that I should be able to see all of this old info in the logs?

    Greg
     
  2. greg@summitrad

    Joined:
    Aug 15, 2014
    Messages:
    27
    Likes Received:
    0
    I have taken Wireshark captures of GOOD provisioning and BAD provisioning. All subnets in our HQ building and one of our Remote subnets inside another building work fine. All the rest are victim of the server resetting the connection when the phone sends the provision request. It is 100% consistent 100% of the time.

    If I do it from the working subnets, they provision fine. The server does not issue a reset. I can see the phone contact the provisioning server via the URL and the server responds. But the rest of the remote subnets (Spread all over the world) get a reset from the server.

    I installed an entirely new copy of 3cx on different hardware (Our Production is a virtual on Dell PowerEdge, so I did this one as a Physical on an HP Server (15.5) and as a VM on an HP Server (15.0)... and I get the exact same results. One was on our main HQ subnet, and the other was down in our main Datacenter. The Wireshark captures show the server throwing a reset whenever the remote phones attempt to provision themselves. (They are all in the 172.18.99.0 - 172.18.102.254 range ... subnetted of course). No firewall, no access lists, nothing molesting the traffic. The sequence numbers are in order, so there's no network wonkiness.

    My guess is something with NGINX resetting the connection. When I throw syslogs from my phones to a server, I see 500 errors being reports on the remote subnets. That same phone on an HQ subnet works perfectly. (This only became a problem with V15+). We've had 3CX for 3 years now.

    Even though I can find ZERO documentation on this horrendous web server (NGINX) from 3CX I found it on their site on how to enable error and access logs. I just cannot believe it's not enabled at all by default. This is 100% a stock install of 15 and all error and access logging is disabled. I'm hoping it works, but you have to restart services to make it take the change. (Not easy on a 24 x 7 x 365 operation.).

    Anyone have any clue why the server is issuing resets? I've verified the Private Subnets are all listed in the config for NGINX to be allowed and allowed in 3CX as well. (Of course none of the NGINX stuff is documented anywhere.). (Not to mention I want to change the certificate.. good luck finding that documentation). None of the recent changes over the past two years or so have been of any real benefit to us, and have only made this product worse to use, operate, and troubleshoot.

    Greg Michael - Rapidly becoming an underwhelmed 3CX user.
     
  3. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,443
    Likes Received:
    282
    Hello Greg Michael,

    Please find the guide on how to change your certificates if you are using your own FQDN at the link below
    https://www.3cx.com/docs/renewing-ssl-certificate/

    Can you please pm me and send me these wireshark captures as well as the support files of the PBX so we can take a look and assist finding the cause of the issue? Or if you able to log a support ticket on this issue please do so
     
Thread Status:
Not open for further replies.