Remote 69XX IP Phone

[Travis]

Hey Guys,

Has anyone been able to get a 69XX series phone to work remotely on the MiVoice Office 250 Without a MBG? I have a few customers who want remote phones but do not want to have to purchase a VPN or MBG for it to work. I have tried a few times but can never get the phone to register when remote. I reached out to Xarios but that was no help because Mitel is making the MBG a requirement. They even denied my feature request.

Here is a offsite register vs a onsite. Appears to not want to send the authentication line. I have set the SIP Phone Group to NAT and also put the NAT address in the NAT field on the phone itself.

Code: [Select]

FAILED REGISTER OFFSITE

xxx - extension IP

YYY - PBX IP

-01:095- 16:30 06-25 *** SIP RX [''-'P9255']: REGISTER sip:xxx.xxx.xxx.xxx:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xxx.xxx:5060;branch=z9hG4bK200077de330974e3a
Max-Forwards: 70
From: "155" <sip:155@YYY.YYY.YYY.YYY:5060>;tag=72909e10bc
To: "155" <sip:155@YYY.YYY.YYY.YYY:5060>
Call-ID: 3391135aa03e47f0
CSeq: 1449016806 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Contact: "155" <sip:155@YYY.YYY.YYY.YYY:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:096- 16:30 06-25 *** SIP TX [''-'']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.xxx:5060;branch=z9hG4bK200077de330974e3a
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="a1008409be051574bda143e78e5f1f0d",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@YYY.YYY.YYY.YYY:5060>;tag=72909e10bc
To: "155" <sip:155@YYY.YYY.YYY.YYY:5060>;tag=Mitel-5000_3456208139-16686
Call-ID: 3391135aa03e47f0
CSeq: 1449016806 REGISTER
Contact: <sip:YYY.YYY.YYY.YYY:5060>
Content-Length: 0




SUCCESS REGISTER ONSITE



-01:097- 16:30 06-25 *** SIP RX [''-'P9255']: REGISTER sip:192.168.YYY.YYY:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.xxx.xxx:5060;branch=z9hG4bKffe633e394fbee69e
Max-Forwards: 70
From: "155" <sip:155@192.168.YYY.YYY:5060>;tag=72909e10bc
To: "155" <sip:155@192.168.YYY.YYY:5060>
Call-ID: 3391135aa03e47f0
CSeq: 1449016807 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Authorization: Digest username="155",realm="Mitel-5000-ICP",nonce="a1008409be051574bda143e78e5f1f0d",uri="sip:192.168.YYY.YYY:5060",response="eb20c51cc7b550ddaedb5e2087c5785c",algorithm=md5,opaque="Mitel-5000-ICP",qop=auth,cnonce="59aba74c",nc=00000001
Contact: "155" <sip:155@192.168.xxx.xxx:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:098- 16:30 06-25 *** SIP TX [''-'']: SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.xxx.xxx:5060;branch=z9hG4bKffe633e394fbee69e
From: "155" <sip:155@192.168.YYY.YYY:5060>;tag=72909e10bc
To: "155" <sip:155@192.168.YYY.YYY:5060>;tag=Mitel-5000_3456282830-16686
Call-ID: 3391135aa03e47f0
CSeq: 1449016807 REGISTER
Contact: <sip:155@192.168.xxx.xxx:5060;transport=udp>;expires=1200
Allow: NOTIFY,REGISTER,REFER,SUBSCRIBE,INFO,INVITE,ACK,OPTIONS,CANCEL,BYE
User-Agent: Mitel-5000-ICP-6.3.7.78
Content-Length: 0


If anyone has any idea on what needs to be done to make it work please let me know.

Thanks,
Travis

[Tech Electronics]

Travis,

Do you have a MiVoice Office Application Server or just the MiVO-250? Are you wanting the 69xx phone to connect to both?

If not then it makes it a simple SIP Device and that would work just like any other.

If you want to use the "Advanced" features of a MOAS then you will need to do some Layer 3 Routing to make that happen since you don't have an MBG to do it for you.

Also, you are missing some steps in your packet captures. A SIP Registration should have a minimum of 4 entries not 2.

Phone: REGISTER
Server: 401 Unauthorized sending Nonce
Phone: REGISTER with Nonce
Server: ACCEPTED

Thanks,

TE

[Travis]

Hey Tech Electronics,

Thanks for the reply!

I would like this to function fully if possible, we do have a MiVoice Office Application Server (MCS) which we put onto a public IP due to poor audio quality on the soft phones. (Support tried blaming the sonic wall, cant do that if its bypassed ) I can successfully ping 8202 TCP on that public and access the web interface. Here are some more complete packet captures...

This is what I get Immediately after rebooting the phone.

Code: [Select]

-01:913- 15:44 06-26 *** SIP RX [''-'P9255']: REGISTER sip:xxx.xxx.xxx.123:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;branch=z9hG4bKa17dbc70d5aee5894
Max-Forwards: 70
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Contact: "155" <sip:155@xxx.xxx.xxx.122:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:914- 15:44 06-26 *** SIP TX [''-'']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:915- 15:44 06-26 *** SIP RX [''-'P9255']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:916- 15:44 06-26 *** SIP TX [''-'']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:917- 15:44 06-26 *** SIP RX [''-'P9255']: REGISTER sip:xxx.xxx.xxx.123:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;branch=z9hG4bKa17dbc70d5aee5894
Max-Forwards: 70
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Contact: "155" <sip:155@xxx.xxx.xxx.122:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:918- 15:44 06-26 *** SIP RX [''-'P9255']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:919- 15:44 06-26 *** SIP TX [''-'']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:920- 15:44 06-26 *** SIP RX [''-'P9255']: REGISTER sip:xxx.xxx.xxx.123:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;branch=z9hG4bKa17dbc70d5aee5894
Max-Forwards: 70
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Contact: "155" <sip:155@xxx.xxx.xxx.122:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:921- 15:44 06-26 *** SIP RX [''-'P9255']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:922- 15:44 06-26 *** SIP TX [''-'']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0


-01:923- 15:44 06-26 *** SIP RX [''-'P9255']: REGISTER sip:xxx.xxx.xxx.123:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;branch=z9hG4bKa17dbc70d5aee5894
Max-Forwards: 70
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO, PUBLISH
Allow-Events: aastra-xml, vdp-session, talk, hold, conference, LocalModeStatus
Contact: "155" <sip:155@xxx.xxx.xxx.122:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-08000FDFFFFF>";expires=1200
Supported: path, gruu
User-Agent: Mitel 6940/5.1.0.2040
Content-Length: 0


-01:924- 15:44 06-26 *** SIP RX [''-'P9255']: SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP xxx.xxx.xxx.122:5060;received=xxx.xxx.xxx.123;branch=z9hG4bKa17dbc70d5aee5894
WWW-Authenticate: Digest realm="Mitel-5000-ICP",domain="sip:mitel.com",nonce="e8073e2623abfbef101a8162c41acb1c",stale=false,algorithm=md5,opaque="Mitel-5000-ICP",qop="auth"
From: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=6ad5c6639d
To: "155" <sip:155@xxx.xxx.xxx.123:5060>;tag=Mitel-5000_1168672493-16686
Call-ID: 89517dfc4d218289
CSeq: 1544754372 REGISTER
Contact: <sip:192.168.132.203:5060>
Content-Length: 0



Thanks!!
Travis

[Tech Electronics]

Travis,

How do you have this programmed in the MiVO-250? I am seeing this as the contact for it; 192.168.132.203:5060.

Somehow your trace doesn't seem right to me, but I can't put my finger on it just yet. I am getting ready for a cutover so I won't be able to help anymore tonight, but I will look at this again tomorrow morning.

Thanks,

TE

[Travis]

Tech Electronics,

.203 is the internal IP of our pbx. Ill attach some screen shots of the programming of the SIP Phone Group. The 69XX phone was created as a 69XX/Phone Manager SIP Phone. As stated the phone group is programmed for NAT. These are the logs pulled from the pbx themselves via message print.

Phone Manager programming is pretty straight forward, But there is a "Use Remote Authentication" Check Box that is required. I was able to make it the same as the normal one I also added that as a screenshot.


I appreciate the help!

Thanks,
Travis

[Travis]

Also,

My firewall is not configured to block Internal to own external connections. I have successfully connected other sip devices from our internal network to our own public address. we are also connecting to a different public for the PBX. Phone Internet ends in .122, PBX public is .123. I have the PBX firewall configured to white list 5060 UDP connections from our 5 public IP's so sip attacks aren't a worry.

The phone itself seems to have some connection with the MCS server, It downloads the required information from the server along with my picture. It doesn't however sync the profile, so I get no key-map.

Thanks!!

[Dogbreath]

You could try a "dropped packets only" packet capture on the firewall to see if you're missing some ports.

[Tech Electronics]

Travis,

I think the Use Remote Authorization in the MOAS to send the credentials to the MBG and may not be needed here since you don't have one. Try taking that off and see if it changes how the phone and system react.

The rest of your programming that I saw in the pictures seems to be good. The issue you may be having is that you are using the MOAS to talk to the phone for provisioning. This means you don't really know what the password is for the phone as the MiVO-250 and the MOAS figure that out via their connection. There may be a way to figure this out, but I haven't had a reason to do this yet; may need to look into that.

Thanks,

TE

[Travis]

Hey TE,

When removing that remote password I get prompted to enter one and the phone doesn't send registers to the pbx at all. Also under General under the "6900 Handsets" group there is a check box for auto detect remote IP address, I have tried turning this off as well. No luck so far.

I would really like to get this to work. I'm sure there are a bunch of people in this position aswell. Thank you for all your help so far. Hopefully we can figure it out.

-Travis

[Tech Electronics]

Travis,

Did you setup the internal and external IP Addresses for the PBX in the MOAS? This is how Phone Manager clients/softphones would know how to get to the MiVO-250 previously. Since I don't work on the 69xx series phones with the MiVO-250  as we don't find it to be a viable option for our customers I haven't sorted this problem out.

Also as I am not on site and can't see the entire packet capture from the Firewall it becomes difficult to understand how the 69xx phone is handling the traffic.

Thanks,

TE

[Travis]

Hey TE,

Yes, the internal and external IP for the PBX is configured correctly both in Nodes and the client locations. Im going to PM you a copy of my packet capture from my sonicwall. Im not entirely sure if I did this correctly so please let me know if you need anything else!

-Travis

[Travis]

Also I was mistaken,

When not entering the remote authorization credentials I do receive register attempts. My packet capture was bugged.