I believe I have found a bug in the nature of the IP connectivity between the IPCMPR and the KX-NT3XX Phones.
IPCMPR Version: 1.0002 KX-NT3XX Version: 1.02 Brief Description: KX-NT3XX phones connected to KX-TDE via IPSEC VPN are not able to re-register after BRIEF interruption in IPSEC Tunnel. Scenario: Main Office where KX-TDE is installed has remote sites that are connected via IPSEC tunnels. For one reason or another (it happens, power, whatever...) the VPN tunnel is broken momentarily. Tunnel is rebuilt automatically. This causes the phones to try and reconnect, which they never do before saying "POOR LAN CONNECTION". Using maintenance-ping feature on phone, I am able to determine that the phone can ping the KX-TDE just fine. Fast forward 40+ hours of heavy testing and analysis of packet-sniffing and trace information, I have discovered the following: The KX-NT3XX phones are basically H.323 phones in disguise. They use a proprietary system called PTAP to register and interface with the KX-TDE (In addition to using MGCP and RTP to setup calls and transmit audio respectively). This PTAP system operates over UDP on ports 9300 on the IPCMPR card, and on 9301 on the KX-NT3XX. Since UDP is has no connection state, the VPN hardware does not tear down the UDP connections it has in its Connection-State tables when the IPSEC Tunnel goes down (like they do with TCP connections). Instead, it waits for the configured UDP timeout to hit before removing the UDP connection. Most IPSEC VPN devices have a UDP timeout period of around 2 minutes. This is critical to the part about this affecting *brief* interruptions in IPSEC Tunnel. If the interruption is LESS then the UDP timeout period, the UDP connection the KX-TDE *thinks* it has with the phones (as the UDP connection actually is with the IPSEC device at the entry point to the tunnel) does not get reset. The tunnel comes back up and the phone starts trying to reconnect to the KX-TDE on the same UDP ports. Somehow since the KX-TDE maintained its UDP connection during this time, it still thinks the connection was good and it will not reconnect the phone. If during this process, I force the VPN device at the site with KX-TDE to clear its UDP connections, the phones instantly come back up. Likewise, if the interruption in the tunnel occurs for more then the length of the UDP timeout period, the phones will reconnect normally. I have proven this to the nth degree in testing. I am certain of my findings. I am presenting all this to Panasonic tomorrow. I have a feeling they will not look at seriously unless other people also report it. We are looking for anyone else with sufficient data/networking knowledge to verify/reproduce this. It is very easy to reproduce. Please contact me if you have a any systems in this configuration and would be willing to help me verify this. Brian Martin _________________________________________________________________ KX-T Mailing list --- http://kxthelp.com/ Subscription changes: http://kxthelp.com/mailman/listinfo/kxt
