I would take one of their phones completely offsite, preferably to a completely different provider (or if that isn't possible, another segment of your network). If they work fine there, it is probably a problem there in your network. Likely if it says forbidden again it's a problem with the voip provider. We're a grandstream shop here but when i've seen forbidden it is almost always a voip provider problem.
Good luck! I usually don't give network advice, i'm by far not the smartest guy here. :) ----- Original Message ----- From: [email protected] To: 'AnimalFarm Microwave Users Group' Sent: Wednesday, May 3, 2023 1:32 PM Subject: Re: [AFMUG] Yealink "Forbidden" I was hoping somebody would know would triggers a “Forbidden” message on the Yealink’s screen. I can assume, but I don’t know. “Do other devices have issues or are all issues isolated to Zoom phones?” ß good question. The phones are in focus because having no phones is an emergent issue. I can’t prove there aren’t any other related issues. That’s part of why I want to understand what’s happening. It’s an apartment building. If there are tenants having some weirdly specific issue like this they might not have reported it yet. You see two subnets because I moved the phones to a different VLAN….that was something their IT guy suggested. The one in 100.64.x.x is just unplugged or something and that was the last known IP. I appreciate the suggestions regarding ALG and Firewall rules, but those have been checked and re-checked. We do provide the Internet access, and for historical reasons we do also control the router and switches. We’re moving away from managed systems like that, but for the next 6 months or so it’s still in my purview. What we did change on Monday was layer2 topology. There were literally 10 switches in between these phones and the router. Now there are 2. That should be better if anything. They’re blaming their issues on that change, but I don’t see how. It’s the same switches except I jumpered up a different fiber path through the building to shorten that 10 switch daisy chain. The only thing new is a couple of SFP transceivers on previously unused ports. I did compare port settings and there’s no difference between new and old. I might go swap transceivers, but that would be an act of desperation because it would make no sense. I haven’t talked to Zoom directly, but if the customer’s IT guy is to be believed they are remarkably unhelpful. Also exciting is the customer is part of a larger corporation and their IT guy is in another state. The best we can do for remote hands is a maintenance person. I can go there again and play around, but I don’t wanna. Firstly, I got other stuff to do. Secondly, there’s the “post hoc ergo propter hoc” issue. Any time people see you touch something they may assume any problem they have for the next month is because you were there. “I can’t print, car won’t start, and there’s a wasp nest in the attic…..I bet it was that damn internet guy.” -Adam From: AF <[email protected]> On Behalf Of Josh Luthman Sent: Wednesday, May 03, 2023 1:12 PM To: AnimalFarm Microwave Users Group <[email protected]> Subject: Re: [AFMUG] Yealink "Forbidden" Are the two private subnets in the screenshot the one network at the one location? Are you providing the internet? Do you have SIP ALG enabled? Do other devices have issues or are all issues isolated to Zoom phones? On Wed, May 3, 2023 at 12:47 PM <[email protected]> wrote: Apparently Zoom tier1 isn’t helping. “Check your firewall settings” and other basic stuff. I don’t know if they’re just script readers or if this IT guy doesn’t know what to ask. I don’t want to be the guy who just points fingers at the other guy, so I’m trying. I just wish I could capture the SIP messages….friggin TLS so super secure that I can’t friggin help you. If only the world had no bad people, then we wouldn’t need security. I want to hear Steve Jones’s plan for eliminating all the bad people. I bet he has one. From: AF <[email protected]> On Behalf Of Darin Steffl Sent: Wednesday, May 03, 2023 10:49 AM To: AnimalFarm Microwave Users Group <[email protected]> Subject: Re: [AFMUG] Yealink "Forbidden" This is really simple. If they can ping the internet or do anything else that requires internet at the same time the phones show offline, it's not your problem. They should be contacting their phone provider. Their voip provider can provide them host names to ping or trace to in order to troubleshoot. If you don't sell the voip, you shouldn't be troubleshooting it aside from making sure your network ping, jitter, and packetloss are normal. On Wed, May 3, 2023, 8:13 AM <[email protected]> wrote: I’m trying to help a customer with their Yealink phones. Their provider is Zoom. I’m 99% sure this is not my problem, but I’m chronically too nice to people so I’m helping anyway. So apparently when they go to dial out they’ll get a message on the screen saying “Forbidden”. I’m not sure if there’s more to the message because I only know what they’re telling me. When this starts happening their IT guy says the phones show up as “offline” in whatever management portal they’re using. They factory reset the phone, it reprovisions, shows up as “online” in their portal and works again for some period of minutes or hours and then does the same thing again. I asked if a simple reboot works, but the IT guy says they factory reset instead of reboot because it’s so easy to do 🙄. They point at me because the phone is “offline”, and they’re tying it to network maintenance that was done on Monday morning, but their story is not totally consistent about what day it started. May have been Monday, may have been last week, depends who you ask. I’ve taken packet captures and I can see the supposedly “offline” phone talking on port 443 to an AWS server (I assume provisioning server) and talking to Zoom on port 5091. That’s all TLS/SSL so I can’t see the messages, but they’re definitely still talking to the mothership when they’re reported as “offline”. They also do other normal stuff like DNS queries, NTP sync, and normal LAN chatter like CDP, ARP, etc. I also checked for packet loss to the phones and there’s none/negligible loss. So I’m telling these guys your phones are 100% definitely not offline. I told them they need to check with Zoom to see what application layer messages are happening, because due to the encryption I don’t have a clue, but I’d wager the carrier is sending back a 403 Forbidden for some reason. Below is a screenshot of his management tool (customer name blocked out). I don’t recognize it, maybe one of you all does. In the meantime I’m wondering if the collective has seen something like this with Yealink and/or Zoom. Any wild-ass guesses? -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com ------------------------------------------------------------------------------ -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
