MX84. IDS Alerts: SIP Phones being blocked

mcoomber
Getting noticed

MX84. IDS Alerts: SIP Phones being blocked

Hi,

My MX84 issues DHCP for the Voice VLAN. 

However the phones are either showing Registering or Not registered as per the attached screenshots. 
I have taken a look at the MX Events log and seen IDS Alerts and that traffic for the phones are being blocked. 

Help needed. 

 

Thanks

 Screenshot 2024-10-29 100803.pngWhatsApp Image 2024-10-29 at 09.52.03.jpegWhatsApp Image 2024-10-29 at 09.52.20.jpeg

11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

Add the IDS alert to the "Allow list" to prevent it from blocking.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Allow_...

 

mcoomber
Getting noticed

I've added the blocked events to the IDS Allow List but still phones are just showing Registering or Not Registered. Even after a restart.

mcoomber
Getting noticed

Screenshot 2024-10-29 110251.png

ww
Kind of a big deal
Kind of a big deal

The phones worked fine before?

Try reboot the phone. Check if the event log is clean after the reboot

mcoomber
Getting noticed

They worked fine when the 3945 ISR was issuing DHCP. When moved to the MX they haven't worked. 

Since Allowing the blocked events in the IDS there have been no new entry. 

Screenshot 2024-10-29 131724.png

 

ip dhcp excluded-address 192.168.20.1 192.168.20.100
!
ip dhcp pool VOICE
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
domain-name transcoclsg.org
dns-server 172.16.0.2 172.16.0.3
option 150 ip 192.168.20.1
!
!
!
ip domain name transcoclsg.org
ip name-server 172.16.0.2
ip name-server 172.16.0.3
ip cef
no ipv6 cef

ww
Kind of a big deal
Kind of a big deal

So the isr was also the 192.168.20.1 svi before? And now the mx is the 192.168.20.1 ? Does the mx know all routes to the 172.16.x.x?

And what did the isr do with option 150 the tftp list?

 

mcoomber
Getting noticed

Yes, The MX is now the 192.168.20.1.

 

From the Routing TableFrom the Routing Table

 

ip tftp source-interface Tunnel0
ip nat pool Pool-NAT-ISP1 x.x.x.x x.x.x.x netmask 255.255.255.248
ip nat inside source route-map ISP1 pool Pool-NAT-ISP1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x

 

The 3945 ISR still carries the other configurations for the phones. Only services taken from the 3945ISR is the DHCP.

 

!
tftp-server flash:SIP_English_United_States/sp-sip.jar
tftp-server flash:SIP_English_United_States/g3-tones.xml
tftp-server flash:sboot2.78xx.10-3-1-12.sbn
tftp-server flash:sip8845_65.12-0-1SR1-1.loads
tftp-server flash:vc48845_65.12-0-1SR1-1.sbn
tftp-server flash:rootfs8845_65.12-0-1SR1-1.sbn
tftp-server flash:kern8845_65.12-0-1SR1-1.sbn
tftp-server flash:fbi8845_65.BEV-01-006.sbn
tftp-server flash:SIP_English_United_States/sl-bev-sip.jar
tftp-server flash:sb28845_65.BEV-01-015.sbn
tftp-server flash:SIP_English_United_States/sl-be-sip.jar
tftp-server flash:SIP_United_States/g3-tones.xml
!

ww
Kind of a big deal
Kind of a big deal

I dont really understand  how your phones would use the isr.  Your dhcp configs point most traffic to the mx svi.  Tftp, default gateway. And how does the mx route to 172.16.

The fact that you where seeing ips alert can only be happening if the traffic is using the mx as gateway

mcoomber
Getting noticed

  • The MX is 172.16.0.1
  • The ISR has a data vlan 10 with IP 172.16.0.5 and the Voice vlan 5 on 192.168.20.1 

Please advice on what I'm doing wrong and what is missing that needs to be done. 

Thanks

Screenshot 2024-10-29 150533.png

 

Screenshot 2024-10-29 150806.png

ww
Kind of a big deal
Kind of a big deal

I cant tell exactly without knowing the design and how everything is connected/where your L2 vlans are configured.

But Your mx also has 192.168.20.1.

So you got 2 times that gateway in your vlan 5 now?

I think you could make mx ip maybe 192.168.20.2?

So the phones will take the isr as gateway?

 

It could be better to make a drawing and contact meraki support to help out

mcoomber
Getting noticed

The MX is the default gateway for the network on 172.16.0.1 
The 192.168.20.1 is the gateway for the voice VLAN 5. The ISR is connected to the network on 172.16.0.5. 

 

As I stated previously, only service taken off the ISR is the DHCP. 

As per your advise, I have changed the VLAN 5 Interface IP on the MX to 192.168.20.2.

The vlans are configured on the MX

Get notified when there are additional replies to this discussion.