Why are my phones being blacklisted?

[engin411]

I am finding that my two Yealink T46G phones are constantly being blacklisted by the PBX. Log:
02-Jul-2013 15:28:44.526 [IPBL] Packet from banned IP/range: ip = 192.168.3.162; Comment: PBX: blocked for too many failed authentications
02-Jul-2013 15:28:44.490 Blacklisted (Too many failed auth)
IP = 192.168.3.162; Failed auth: 0; unauth: 0; auth: 0; 407: 3

This happened just now, and I wasn't even using the phones! They haven't been power cycled since yesterday when I did some provisioning.

Any ideas on why this is happening?
Also, I did put an entry in the blacklist to ACCEPT the IP range that my network is on. That worked fine to keep the phones registered, but it screwed up access to the web GUI. I couldn't access the web GUI until I removed this entry in the blacklist. Now my phones are being blacklisted again!

 

[lneblett]

The T46, like many phones, offer multiple accounts. Go through each account and ensure that only the one (or those) that you want to be connected to the system have their respective accounts "enabled" and all others "disabled" or "inactive".

It matters not whether you are using the phone. The phone will periodically contact the system to "register" so as to let the system know that the phone is still connected and able to take/make calls. The time period between registration periods is programmable. IN some cases, like a really stable, unburdened network, you may be able to set the registration period to be rather large with no issue. Sometimes however, there are cases where a registration may be missed and the phone should try and re-register within a very short time of the miss so as to get back on-line quickly.

The log is indicating that the system is getting an incorrect authentication. When this happens, the phone will try again quickly and the blacklist count will mount until such time as the issue is corrected and the phone registers correctly, or the count is exceeded and the phone IP is blacklisted.

You should still be able to use a browser outside of 3CX to get to the WebGUI on the phone. You may also want to do a factory reset and then simply re-program the account if nothing else shows up. Of course, remove the IP from the blacklist.

 

[engin411]

I did a factory reset and then reprogrammed the phone. I have an allow rule for my network segment in the blacklist, and I can get the web GUI, so I guess the reset did it.
Thanks.

 

[engin411]

This continues to be a problem. I can whitelist each phone, but if its IP changes, then it's blacklisted again.

When I enter the network segment as an Allow rule, then Firefox cannot access the web GUI. Chrome can, however.

But my bigger concern is why the phones are not able to authenticate. The system is live, so obviously the phones are registered. If the phone is registered, why is the password wrong? I set the password only in the extension setup in 3CX. Accounts 2-6 on the phone are disabled.

 

[leejor]

I have also seen this blacklisting on some ATA's locally.(and on occasion, a remote extension) It seems to happen for no rhyme nor reason. I also created a whitelist rule to get around this locally. Haven't had any problems using Firefox when accessing the GUI (usually only use that remotely).

Did you put it in as ...Example ...192.168.0.0 with a subnet of 255.255.0.0
or 192.168.123.0 , subnet 255.255.255.0 ?

 

[engin411]

The blacklist rule shows as 192.168.3.122 and subnet 255.255.255.255, IP range of 192.168.3.122. I just change each rule to Allow instead of Deny. I have a whole list of these rules, one per phone, and I need to doublecheck periodically to make sure any phone that changed IP is not blacklisted.

When I make a rule for Allow using 192.168.3.0 and subnet 255.255.255.0, all phones are allowed and register fine, but I can't get the web GUI in Firefox.

 

[leejor]

Have you tried using the first example I gave. That is the one I use. I don't make a habit of using Firefox to get into 3CX locally, as you are restricted for some operations, but will test that tonight.

What do you get when you attempt to use Firefox, it may be a setting that requires "adjustment". I assume you are running the latest version.

 

[engin411]

Yes, I've tried that IP range and subnet. There is no difference. On the Firefox question, the browser says connecting and loading, but it never finished loading the page. There is a circular 3CX icon that spins in the center of the browser, but it just sits there and spins, never loading the login page.

 

[engin411]

I don't make a habit of using Firefox to get into 3CX locally

Are you saying that you usually RDP to the Windows server and use the Windows client GUI?

 

[leejor]

I use the 3CX Management Console Icon. It's in the 3CX menu from Start and can be dragged to the desktop.

Using a browser on the same machine that is running 3CX limits some of the changes you can make in the PBX. I only use Firefox remotely, over a VPN connection.

 

[engin411]

I noticed the limitations as well. I am on the same subnet as our server room, so using a browser to manage devices is a daily procedure, including for 3CX... just open a new tab. Much faster than RDP to the server. I don't mind the limitations for daily administration. But I do understand that using RDP would resolve my issue, although it wouldn't fix whatever the underlying problem is between 3CX and Firefox.

 

[leejor]

Is the issue with one computer, or have you attempted access from other PC's running Firefox?

 

[engin411]

Is the issue with one computer, or have you attempted access from other PC's running Firefox?

Firefox on two workstations on Win7 and one server on Server 2008 R2 gives the same result.

 

[lneblett]

I just downloaded and installed FF and have no issues getting the web console up and running. I also use hrome and IE, but find that IE10 required compatibility mode.

In any event and with regard to the T46 issue .
1. Do you have other makes and/or models and do these exhibit similar traits?
2. Can you do an IP scan and pick a couple of IPs that you know to be clean and then set the phones' IPs to be static to the same?
3. Delete all the rules you have about white/black listing such that it looks like a virgin install.
4. Let's see if the phones blacklist again.
5. If so, then do a factory reset and then use the Yealink T38 template and provision the phones as such. While not a perfect fit they will use it and this will then give some assurance that the parameters associated to the registration process are relatively compatible. Reinstall the fixed IP to each/
6. Clean the black list again and see what happens.

I have had a 46 registered for several weeks with no issue, so I see no reason why yours should not do the same. If it all still breaks down, then at least by having fixed IPs you can whitelist and not have to worry about constant changes. I woould still hope that we can fnd a root cause however, but this is a start.

 

[engin411]

Thanks for your suggestions.

I did 1-4 in your list, and the problem remained. I do not have spare phones at this point to play with this some more, so maybe I will just hobble along until I get a spare phone and/or 3CX supports the T46G with a template.
Thanks.

 

[bardissi]

T46 Template will be out on V12 general release