Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Edge Gateway cant remote to it

    Hi All
    I am setting up (or failing too) an Edge gateway in our office as follows
    ShoreTel build 21.90.9743.0
    External Address's (3 1 for RAST, 1 for Remote proxy, 1 for Turn)
    Internal Address 1 on same Lan and VLan as HQ Server)
    3 external DNS mappings for the three external ip's
    1 internal DNS mapping for Edge GW
    as far as the Edge / System goes all looks good green lights
    All address's are pingable and can trace route to external address's ( I use my mobile as a hotspot)
    Router has NAT to translate external address to internal IP of Edge GW RAST,RP, & Turn interfaces

    When I attempt to connect remote 480G phone (VPN is set to on and port 443)
    It goes through the motions but fails to connect to VPN with the following "Pphone event 1501: unable to connect to VPN: VPN Connection (Rast-DTLS) to server xxx.xxx.xxx.xxx closed.
    However the monitor screen of the Edge GW shows the phone with correct Ip address's for local and remote IP and the time it was established is also correct along with the Tunnel interface and received and transmitted packets and bytes.
    about a minute later the above information in monitor disappears.

    I am kinda lost as the logs from Edge GW don't mean a lot to me, Router logs are useless
    so i am struggling to find the issue, any pointers would be much appreciated

  • #2
    Just for clarity, am I reading this correctly and the "external" interfaces of the Edge Gateway are in some kind of DMZ and your corporate firewall is NATing traffic from a truly public IP to the DMZ for the Edge Gateway to consume?

    Comment


    • #3
      Do you have the check box for Enable remote phone authentication checked on the user profile that you are trying to vpn with?

      Also there is a section on the configuration tab on the edge gateway for Phones>Allowed List. Do you have the MAC of the phone added there?

      We also had to add a static route for the pool of remote phone IP addresses to point at the inside interface of the Edge Gateway before it would work.
      Last edited by ericdbarth; 11-05-2019, 12:46 PM.

      Comment


      • #4
        Hi and Thanks for the responses
        yes Blanning external address's are mapped via Nat to DMZ address's
        Ericdbarth I would should see the phone make it onto the network without the check box for remote Auth, I have two phones with MAC address in allowed list and i am not sure what you mean by Static route for the remote pool

        Comment


        • #5
          The IP address that is given to the remote phone by the Edge Gateway....it would make sense that the edge gateway would respond to arp requests for this IP address since it knows where the phone is, however it does not so on our internal network (on our core switch) we had to put a static route to say {RemotePhoneIP} next hop {InternalIPofEdgeGW} otherwise the ShoreTel Switch could not communicate with the remote phone.

          Comment


          • #6
            OK so I have got it sorted !
            there were two problems
            1) The ISP blocks ports on additional IP address's and you have to ask they unblock them
            2) our Router (Draytek) is very confusing in its literature. I was port forwarding through NAT, but because we are using WAN Alias address's I had to use open ports instead to allow Multi NATing

            again thanks for the reply's

            Comment

            Working...
            X