Tunnel problem

[cjtrevor]

Hi

With v10 the tunnel was working fine, with using an android 3cx client and also with the 3cx sip proxy manager.

Since upgrading to v11 the tunnel doesn't connect.

Here is log output from the sip proxy manager-
.\Bridge.cpp(188) : {15:12:52.628}(Log2):Connecting tunnel 'TunnelClient'(123456) to xxx.xxx.xxx.163:5090
.\TCPSide.cpp(32) : {15:12:52.628}(Trace5):Connecting to xxx.xxx.xxx.163:5090
.\TCPSide.cpp(38) : {15:12:53.810}(Trace5):Attempt to connect to xxx.xxx.xxx.163:5090 has failed
.\Bridge.cpp(199) : {15:12:53.810}(Log2):Failed to connect Tunnel 'TunnelClient'(123456) to xxx.xxx.xxx.163:5090
.\Bridge.cpp(201) : {15:12:53.810}(Trace5):$ Next connection attempt in 5590 ms

One thing I am aware of - 3cx server is running on Windows XP SP3 - I am aware this is no longer officially supported.

Before looking at anything else, does anyone know if the tunnel is broken when using Win XP?

I've already checked under the extensions that "disallow use outside lan" and "block remote tunnel" are not ticked.

Thanks
Chris

 

[lneblett]

While I do not run XP, I do not think you can really run the 3CX System and the Sip proxy manager on the same system. I am on V11 running Win7 and I just tried my Android using the tunnel and was able to connect just fine. I am not running the SIP proxy. You might try killing the SIP proxy manager and try again after confirming your settings and making any changes needed to eliminate references to same.

 

[cjtrevor]

Hi

Sorry I probably wasn't clear enough. The sip proxy is running at a remote site, to allow a telephone extension from remote site to connect to the server via tunnel.

I can't connect via tunnel from outside the network on my android 3cx software either, whereas I could before the upgrade to v10.

 

[lneblett]

OK, got it.

Two questions -
1. Can you connect while internal?
2. Have you checked to see if 3CXtunnel.exe is running in task manager?

 

[leejor]

I assume that the Android is able to connect without the Tunnel (remotely)?

What does the 3CX (end) log show? Any sign of a tunnel connection attempt? A rejection message/reason? If not then you need to begin looking at your router and, perhaps, a port forwarding issue.

Is the remote attempt being made to a URL, or direct, to a static public IP?

 

[cjtrevor]

Hi,

lneblett -
1. Yes andriod 3cx connects internally, auto-provisioned, connects fine while connected via wi-fi on the same lan as the 3cx server. But doesn't connect anymore from my home w-fi, whereas it always has done prior to the v11 upgrade. (although also I note some updates to the 3cx andriod client have been released so can't rule out something there also).

2. Just checked, and yes 3cxtunnel.exe shows under processes in task manager

leejor -

Android 3cx can only connect while connected to the local lan. Can not connect while out of office connected to another wi-fi.

Nothing in the 3cx log - no log record re connection attempt or tunnel attempt etc.

3cx server is on a static public ip. This and the router settings have not been changed since it last worked. Have just double checked and port 5090 is still forwarded on router.

 

[leejor]

Android 3cx can only connect while connected to the local lan. Can not connect while out of office connected to another wi-fi.

Is this caused by an intentional firewall/port 5060 non-forward setting, or is it something that should work?

Nothing in the 3cx log - no log record re connection attempt or tunnel attempt etc.

Then I would say that it is a firewall (on server/PC?) /router issue, or the 3CX proxy/Android phone, are "pointing" at the wrong IP/URL.

3cx server is on a static public ip. This and the router settings have not been changed since it last worked. Have just double checked and port 5090 is still forwarded on router.

Do you normally access anything else on your network (VPN?) remotely?

 

[leejor]

Yes andriod 3cx connects internally, auto-provisioned, connects fine while connected via wi-fi on the same lan as the 3cx server. But doesn't connect anymore from my home w-fi, whereas it always has done prior to the v11 upgrade. (although also I note some updates to the 3cx andriod client have been released so can't rule out something there also).

The Android updates should not have affected this, it looks to be an access issue at the PBX end. I'm assuming that you do not run another remote extensions other than the ones using the 3Cx proxy server?

 

[cjtrevor]

Hi

All the ports are forwarded in accordance with http://www.3cx.com/blog/voip-howto/draytek-firewall-voip/
so 5060 and 5090...

So presumably the android 3cx should connect without the tunnel?

I have checked the windows xp firewall log on the machine hosting 3cx, nothing is logged that appears to relate to the attempt by the android 3cx to connect.

We do use remote services to the office and so the static ip address is definitely ok and double checked.

I'm somewhat baffled by this.... I will try to get a usb stick plugged into the router and see if I can turn on logging to see if there are any clues.

There isn't some master "disallow remote access" setting in 3cx that I'm somehow missing? I've checked several times but can't see anything!

 

[RobertKroll]

I am having the same exact problem...it is baffling AND inconvenient. To recap, I will explain what has happened in case anybody see's anything that will help solve this:

-Was running v.10 w/3 remote softphones (3cx)
-Tunnel was enabled and working perfectly
-Was using Abyss webserver
-System is HP Proliant DL380 / Server 2008 R2 / Domain

--------------------------------------------------------

-Upgraded to v.11
-Restored backup from v.10
-Abyss webserver
-Tunnel stopped working
-Remote sites can connect without the tunnel, but there is no audio

--------------------------------------------------------

-Downgraded back to v.10
-Tunnel is now NOT working with v.10
-Reinstalled with IIS, NO workie
-Removed v.10
-Reinstalled v.11 W IIS, No workie
-Removed v.11
-Reinstalled v.11 W Abyss, No workie

---------------------------------------------------------

Every other function seems to be working properly. I am NOT seeing ANY kind of connection attempt in the system logs WRT the Tunnel. All settings are the same as they were w/ v.10.

Please Help if you can
-BoB

 

[leejor]

There isn't some master "disallow remote access" setting in 3cx that I'm somehow missing? I've checked several times but can't see anything!

There is an option on a per extension basis (in each extension setting) but, a failed attempt (rejection because of that option) should show in the logs. Of course there are a number of options that can throw a monkey wrench into things, and we're assuming , perhaps incorrectly, that the backup from version 10 passed on all of the settings correctly.

But, before laying the blame on the upgrade....
You may have to resort to the use of Wireshark (connect using a hub, not a switch) between the PC and the router, to see if the registration attempt is getting that far. If you see it, then it points to a PC/3CX issue, if you don't see it, then the problem is in the direction of the router.

If you have a separate modem, then run Wireshark between the modem and router.

 

[cjtrevor]

Reassuring in a way that I'm not the only one with this problem!
And the fact you're using Server 2008 probably rules out my wondering whether XP was causing the issue.
I also upgraded from v10 (via the pre-release beta etc in the interim) and restored the settings.

 

[lneblett]

Well, the only thing I can even begin to think of is to once again check your Windows built-in firewall and ensure that the "3CX SIP/RTP Tunneling Proxy" is set to "enabled" for inbound rules and that you have the correct profile selected (you could set to "all" if any concerns.

I upgraded a couple of WIN 2008 Server systems as well as a WIN7 system to V11 (final release) this past week and have been lucky enough not to have run into any problems, althugh I will admit that very few use the tunnel. I will be at a couple of clients today and will try accessing my system and theirs thru the tunnel just to see if something should pop-up.

Chris, out of curiosity, have you tried using your Android with your cell carrier's signal (TDMA, GSM CDMA) and not wi-fi? I just tried it at the house using AT&T (GSM, Samsung Galaxy S 3G) and it worked fine. I am using the tunnel, NAT Helper is off and TCP Transport is on as is Enable 3G under the Integration settings. At the 3CX side, I am not running STUN as I have a fixed IP, but it is turned on within the phone......because I am too lazy to erase the already entered server.

Bob, do you have MyPhone loaded up at the remote locations and have you had any issues accessing same? I am just trying to see if there is any kind of connectivity whatsoever. The tunnel is its own service and should not have any bearing whether you run IIS or Abyss. From what I can see in services, there are also no dependencies upon which it relies. So, if all of the system services show to be up and running and there are no records of any registration attempts and all local devices function, I am inclined to think that somehow a firewall, be it at the router or the embedded Windows, is involved...be it an incorrect profile or port forwarding/denial.

My only other thought is to check and see if somehow 3CX has blacklisted the IP from which your efforts have originated. Otherwise, Leejor has my vote for the only real way to pin it down.

 

[RobertKroll]

Bob, do you have MyPhone loaded up at the remote locations and have you had any issues accessing same? I am just trying to see if there is any kind of connectivity whatsoever. The tunnel is its own service and should not have any bearing whether you run IIS or Abyss. From what I can see in services, there are also no dependencies upon which it relies. So, if all of the system services show to be up and running and there are no records of any registration attempts and all local devices function, I am inclined to think that somehow a firewall, be it at the router or the embedded Windows, is involved...be it an incorrect profile or port forwarding/denial.

I checked the firewall (Cisco SA-520W), and the ports are passing through properly to the server. The Myphone application was working perfectly previously from the remote location, as was the iPad tunnel proxy and iPad Myphone. I checked to see if there was a blacklisted IP, and found nothing. I am not running windows firewall on any of my machines currently. Looking at the services, everything appears to be running, and I did a manual restart (no luck) followed by a reboot (no luck).

It has to be something simple I am overlooking, thanks for the input though, a fresh opinion is always helpful in these situations. I am confident that we will solve this!

 

[lneblett]

Bob, so if things are passing thru the router and hitting the server, does not the log show anything? Is it set to verbose?

 

[RobertKroll]

Bob, so if things are passing thru the router and hitting the server, does not the log show anything? Is it set to verbose?

I have the log set to Verbose and I am not seeing anything. The really strange thing is that I ran Netstat -a -n -b and it doesn't appear that the computer is even listening on port 5090. Seems VERY strange. I am going to go out today and if I can get my hands on a new router, I am going to change it to eliminate the possibility from the failure chain.

 

[lneblett]

If a fixed ip, you might also simply uncheck use tunnel and see what happens.

 

[cjtrevor]

This is very strange, but the problem seems to have fixed itself.
No option has been changed in 3cx, although I have clicked through the settings screens many times looking for any setting that may affect it, so maybe that somehow fixed it.
Other than that, I rebooted the 3cx server, and the router. But I had also tried that before posting on this forum.
Somewhat a mystery as I can not pin down the solution on me actually doing anything, and frustrating as spent hours looking at this.
Thanks to everyone for comments and assistance and sorry I'm not able to provide any clue as to what solved this.

 

[RobertKroll]

I need the tunnel for security and portability.

This is definitely a 3cx issue. Every other application is working perfectly, the router is passing ports correctly to all other applications. Port 5060 and 9000-9049 are working fine because we use Broadcom as a provider and they work fine. The software SAYS that it is listening on the port but it isn't.

It all started when I backed up version 10 to install 11. I tried to revert to 10 and I had the same trouble. I don't know what is next!

Starting to get very depressed...

 

[lneblett]

Is port 5090 tcp & udp forwarded at the local end?