Results 1 to 9 of 9

Thread: internal phone (on vpn) keeps getting added to IP blocked List

  1. #1

    Default internal phone (on vpn) keeps getting added to IP blocked List

    I have several IPSec VPNs that are established between five sites via other routers.
    At my site I have a phone that is connected to four separate systems.
    Whilst the vpn's are stable (Most of the time) my phone stays connected to three of the four.

    On the fourth site it will stay connected for a week maybe two at times and the phone account is very useable.
    But every so often that account will go offline and when I check the Epygi, the phones IP address is in the Blocked List.
    The reason it shows is "Authorization failure. Date:23-Feb-2014 15:24:01".

    The problem is that the credentials were correct before and after that date and were not ever changed.
    All I do is simply "disable" the blocked rule and the phone re-connects within a few seconds.

    So:
    1. The credentials are correct as the phone will work for a week or so without issues.
    2. The credentials are correct as I never touch them - just disable the rule.
    3. I have added the remote VPN network into the allowed list
    4. I have added the phones specific IP into the allowed list
    5. The reason is never updated. It simply re-enables the rule every so often.

    However : "If a host also appears in the Blocked IP List, the Blocked IP List has a higher priority, and the traffic will be blocked!"
    So...

    6. Adding the IP to the allowed list is pointless.
    7. The phone is a Yealink T38G (38.70.0.125)
    8. The PBX is an QuadroM8L (Boot loader: 5.2.22/Release) and (Firmware Version: 5.3.64/Release)

    But the same phone is also connected to:
    - A QuadroM12Li (Boot loader: 5.2.22/Release) and (Firmware Version: 5.3.2/Release)
    - Another QuadroM8L (Boot loader: 5.2.22/Release) and (Firmware Version: 5.3.61/Release)
    - And a Quadro4Li (Boot loader: 5.0.3/Release) and (Firmware Version: 5.2.25_SAM/Release)

    And none of these have an issue.

    Is it possible to have the "Allowed List" not be overridden by the "Blocked List"
    I am struggling to see why this configuration would be needed.
    Usually an Allow List (or White List) is meant to permanently allow so that these types of errors could be avoided.
    I would certainly never want to specifically allow something that I would also want to have blocked.
    If that were the case, then I would simply leave it out of both lists and let it get added if it triggers on Auth failure etc

    My Gut feeling is that there may be occasional packets that get jumbled up every so often by the IPSec VPN and the Epygi is seeing that and denying the connection.
    This could be almost impossible to detect.
    Almost every time it fails is when I am away from my desk.

    So I reckon the best approach is to whitelist it - but I need the whilelist to be a whitelist.

  2. #2

    Default

    has anyone else experienced this?

    Is there any chance that this issue could be resolved.

    I need to be able to sell these system with 3rd part ipSec and currently I can't
    I have this issue happen every week on my phone and it's only that I have full administrator access to all PABX's that I can resolve the issue.

    But for a normal user - this is not workable at all.
    There needs to be a whitelist that actually whitelists the IP rather than a whitelist that is somehow subject to a blacklist that the PABX adds IP's to automatically.

  3. #3

    Default

    To start with - it is one VPN IPSec tunnel causing the problem. Do you think that it would be more pertinent to check and monitor that VPN for errors that are happening over the link than looking at the Epygi itself...

    Surely if it is happening every week, then you would be able to use a capture program to identify the errors being transmitted causing the authentication issue.

  4. #4

    Default

    Its not one vpn tunnel.
    I have phone A connecting via openvpn A to System A having this issue, as well as Phone B connecting via OpenVPN B to System B also having the same issue, as well as my phone connected to System A & B via IpSec vpn with same issue.

    VPN's are inherently always going to suffer when the connections are torn down and reset for a whole host of reasons.
    It is unreasonable to expect that the vpn is going to be perfect all the time.

    It is however unreasonable to expect an IP that I placed in a whitelist to be automatically placed into an overriding blacklist (repeatedly) because the auto-blacklisting is contradicting my specific instruction to whitelist it.

    All I'm trying to do here is help make the product better by alerting people to the fact that there is a "Fault in the Logic" applied to the priority of the Whitelist & Blacklist.

  5. #5

    Default

    Does anyone else believe that it is not logical to have the blacklist override the whitelist?

  6. #6

    Default

    What if the whitelisted equipment was compromised ???? what then...???

    How would you recommend that this type of intrusion be accounted for?

  7. #7

    Default

    Dywilsonn

    There is a whitelist for SIP IDS, it is called "Exceptions". Please have a closer look at SIP IDS configuratio page.
    Ad the remote vpn subnets there and ips will not be added into blocked list.
    This is just to resolve your problem.

    To understan why ips are being blocked you woud want to follow kscoms advise and capture the networ to see why and when the phone is sending inproper auth credentials. Quadro is not blocking an ip withou having a valuable resoon.

    Hope this helps.

  8. #8

    Default

    Quote Originally Posted by KSComs View Post
    What if the whitelisted equipment was compromised ???? what then...???

    How would you recommend that this type of intrusion be accounted for?
    Allow it - That is what a white list is. "By definition"
    You don't put things in a white list unless you know it is implicitly trusted.
    It is exactly the same circumstance as a normal sip phone on the local LAN.
    If you don't want to allow it then don't white-list it.

    In this case these devices are phones with vpn certs loaded into the firmware - If it is compromised I can invalidate the password, remove it from whitelist, add it to blacklist, lots of things, but right now what I can't do is have staff log a support call 5 mins before they need to make a phone call.

  9. #9

    Default

    Quote Originally Posted by Vahan View Post
    Dywilsonn

    There is a whitelist for SIP IDS, it is called "Exceptions". Please have a closer look at SIP IDS configuratio page.
    Ad the remote vpn subnets there and ips will not be added into blocked list.
    This is just to resolve your problem.

    Hope this helps.
    Can you tell me where to get to this page?
    Are you referring to "Filtering Rules" > "Allowed IP List" ? If so I mentioned in the original pos that I have already done that.

    I could be wrong - but I think that page is only on the QX series.
    Last edited by dywilson; 06-21-2016 at 05:56 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 09-29-2010, 01:52 PM
  2. some internet sites seem blocked
    By paulk in forum Troubleshooting and Problems
    Replies: 5
    Last Post: 01-22-2009, 08:12 AM
  3. phone over IPSEC VPN
    By mabbott in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 03-27-2008, 04:14 AM
  4. Blocked UDP
    By lebenton in forum Troubleshooting and Problems
    Replies: 0
    Last Post: 08-17-2006, 10:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •