On Tue, Feb 17, 2015 at 11:13 PM, Chuck Mariotti <[email protected]> wrote: >>Think you forgot the logs. That should be enough of a summary to have a good >>idea though. > >>What's the firewall/router/NAT device on the network where the 3 phones >>reside? That sounds like what could happen with a NAT device that doesn't >>handle UDP well. Some consumer-grade routers and some NAT implementations >>built into >DSL/cable modems can have problems handling long-lived UDP >>connections especially where multiple devices are being NATed out to a single >>destination IP and port. > > And here is the log below... argh. > The devices are behind a 256Mbit cable modem... Any suggestions on how to > resolve if that is the case? 3rd party router? > > Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 > send_push_reply(): safe_cap=940 > Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, > IPv6=(Not enabled) > Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer > Connection Initiated with [AF_INET]172.172.172.66:1086 > Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 > send_push_reply(): safe_cap=940 > Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: > pool returned IPv4=10.9.12.18, IPv6=(Not enabled) > Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer > Connection Initiated with [AF_INET]172.172.172.66:1194 > Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: > local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0] > Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth > Error: TLS object CN attempted to change from 'Phone-Ext212' to > 'Phone-Ext211' -- tunnel disabled > Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth > Error: TLS object CN attempted to change from 'Phone-Ext211' to > 'Phone-Ext212' -- tunnel disabled
That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, specifying "lport 0" in the config will make it choose a random port. I'm not sure if that's configurable for the Yealink phones though. We disable that automatically in our OpenVPN client export for Yealink because they didn't support it at least up until recently. If you can change the modem to bridge mode to pass through the public IP to a router of some sort that will properly handle that circumstance, it'll resolve that. That might be hit or miss with consumer-grade routers. A completely default pfSense config will work fine in that circumstance, as it'll randomize the source ports on its own so the phones don't have to. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
