SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Avaya IP Phone Behind SRX cannot connect to it's Call Manager

    Posted 08-26-2016 08:02

    I have an pre-configured Avaya IP Phone behind my SRX650 which cannot connect out to it's Call manager on the internet using it's VPN client. if I move it to a cable modem it connects fine.

     

    Looking to see what specifically on the SRX is causing this not to connect. I have already disabled some ALGs which makes no difference.

     

    Anyone with experince with this or may have seen this issue before?

     

    Thanks



  • 2.  RE: Avaya IP Phone Behind SRX cannot connect to it's Call Manager

     
    Posted 08-26-2016 18:55

    Hello,

     

    Which Avaya Phone model & what Call Manager version you are using?

     

    Regards,

     

    Rushi



  • 3.  RE: Avaya IP Phone Behind SRX cannot connect to it's Call Manager

     
    Posted 08-27-2016 02:18

    I have seen similar issues in past and these may need detailed troubleshooting sessions. I would recommend you opening a case with JTAC.



  • 4.  RE: Avaya IP Phone Behind SRX cannot connect to it's Call Manager

    Posted 08-27-2016 02:24

    Hi,

     

    So essentially this would be a pass through VPN for the SRX.

    Check if the SRX security policies permit this and is the SRX NAtting this traffic ?

    What ports and protocol is this traffic using ?

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 5.  RE: Avaya IP Phone Behind SRX cannot connect to it's Call Manager
    Best Answer

    Posted 08-27-2016 13:02

    HI Sighclops,

     

    Basically you have to create a security policy that would allow both IKE traffic and ESP traffic to traverse the firewall ( assuming Avaya Client uses IPSec VPN ) and you have to enable NAT Traversal NAT-T. You should check the Avaya documentation to check what type of VPN they are using in order to be able to permit it properly through the firewall .

     

    Here are some links on how to permit IPSec VPN traffic through a Juniper Firewall :

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22178&smlogin=true&actp=search

     

    https://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/alg-security-ike-esp-configuring-cli.html

     



  • 6.  RE: Avaya IP Phone Behind SRX cannot connect to it's Call Manager

    Posted 08-30-2016 07:39

    Thanks for this.... it helped me get to the right direction. First I had to enable the IKE-ESP ALG, but this alone did not get things working even though my policy was set to match any application. Next I had to create the custom applications and replace the any in my policy with these...

     

    set applications application custom-ike-alg application-protocol ike-esp-nat
    set applications application custom-ike-alg protocol udp
    set applications application custom-ike-alg source-port 500
    set applications application custom-ike-alg destination-port 500
    set applications application custom-ike-nat protocol udp
    set applications application custom-ike-nat source-port 4500
    set applications application custom-ike-nat destination-port 4500

     

    Phone is now conencting.

     

    Thanks!