Troubleshooting Phones Provisioning to Ring Central

SOLVED
MerakiMed
Getting noticed

Troubleshooting Phones Provisioning to Ring Central

in the last week phones stopped being able to be provisioned in Ring Central. They need to get to pp.ringcentral.com:443. Pings to that site from a branch office with Meraki is failing. But pings and

https traffic to other sites works. My first through to troubleshoot tomorrow will be to have a phone

that needs to be provisioned and do a packet capture to see what's going on during that attempted

provisioning. 

 

But it's been some months since I looked at firewall looking. Is it possible to view all conversations allowed through the MX for a time period? I went to Sec & SD WAN/Security Center and selected all dispositions allowed or not. I started to enter the IP address of the provisioning server at RC 199.255.120.237 and the search box suggested I really wanted was remote_ip:199.255.120.237. Ok good enough. I hit enter and the time window is set to an overly generous 2 weeks. But still nothing shows up in the results. Am I searching for these conversations in the wrong place? 

 

Also a snapshot of the conversation is below. It looks like a phone 10.1.61.24 it trying to provision and the RC server is requesting a certificate 1.2TLS. Then the client ends up sending the cert but resending and resending. Any thought what's going on? Invalid certificate?

 

MerakiMed_0-1615437342907.png

 



Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
BrandonS
Kind of a big deal

Re: Troubleshooting Phones Provisioning to Ring Central

Just a guess, but try whitelisting the client or toggling AMP and/or IPS/IDS and content filtering off to see if it changes.

View solution in original post

10 REPLIES 10
BrandonS
Kind of a big deal

Re: Troubleshooting Phones Provisioning to Ring Central

I don't think you can find what you are looking for in the dashboard.

 

Remember ping does not work everywhere.  I can't ping pp.ringcentral.com either.  They must not allow it.  Having a phone and doing a packet capture should help you isolate the trouble quickly though.

 

 

MerakiMed
Getting noticed

Re: Troubleshooting Phones Provisioning to Ring Central

Thanks much. I pasted a screen grab of the pcap of a phone that's trying to provision in the original question. 

BrandonS
Kind of a big deal

Re: Troubleshooting Phones Provisioning to Ring Central

Just a guess, but try whitelisting the client or toggling AMP and/or IPS/IDS and content filtering off to see if it changes.

View solution in original post

MerakiMed
Getting noticed

Re: Troubleshooting Phones Provisioning to Ring Central

In Content Filtering I went to the Allow URL and added pp.ringcentral.com. The next time I did a packet capture for that phone it showed registered 200 OK. Good call! 

So two add on questions - why could I not see this blocked traffic in Security Center? And I wonder why/how the content filtering changed such as to put the kybosh on my phones provisioning.

ww
Kind of a big deal
Kind of a big deal

Re: Troubleshooting Phones Provisioning to Ring Central

Security center only reports ids/ips  and amp.   

Content filter is in the event log

MerakiMed
Getting noticed

Re: Troubleshooting Phones Provisioning to Ring Central

Thanks for pointing that out. So I went and searched in Event Log and..

 

1) It appears I can't search based on the URI destination. 
2) I searched based on the client IP of the phone and nothing shows up there.

3) I went back and searched Security Center once more but by client IP. Nothing. 

II may just need to open a ticket to find out why the filtering started on an ostensibly allowed 

category and why the traffic denied or allowed is only visible if I run a pcap but not in 

event log or security center.

BeckerIT
Here to help

Re: Troubleshooting Phones Provisioning to Ring Central

Here's a document link, I found helpful when my company was switching over to RingCentral and ran into similar provisioning issues.

 

https://support.ringcentral.com/article/9233.html#8.6.3.WhitelistDomains

BrandonS
Kind of a big deal

Re: Troubleshooting Phones Provisioning to Ring Central

Definitely take this up with support.  Both for not seeing anything in any logs and also why did it block that URL at all?  It seems in a legit category that I assume you were not actively blocking?  Or were you?

 

Screen Shot 2021-03-11 at 8.56.27 AM.png

MerakiMed
Getting noticed

Re: Troubleshooting Phones Provisioning to Ring Central

Nope - definitely not blocking. I starting thinking blocking based on the retransmits. 

Today I found that the phones still aren't provisioning. So I'm not sure why the pcaps changed last night. 
I was doing it all remotely and couldn't corroborate what was happening with the phones themselves. 

 

 

MerakiMed
Getting noticed

Re: Troubleshooting Phones Provisioning to Ring Central

The end of the mystery appears to be in the treatment of traffic nearing pp.ringcentral.com from the external IP of the MX67 which is provided by Comcast. And the issue may involve multiple sites as we use Comcast a lot. I'll ask a troubleshooting specific to this kind of suspected asymmetric traffic problem. I've dealt with a couple in the past but man it's time consuming and frustrating.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.