Meraki

Community

Troubleshooting Phones Provisioning to Ring Central

Solved
MerakiMed
Getting noticed
‎Mar 10 2021 8:06 PM
‎Mar 10 2021 8:06 PM

Troubleshooting Phones Provisioning to Ring Central

in the last week phones stopped being able to be provisioned in Ring Central. They need to get to pp.ringcentral.com:443. Pings to that site from a branch office with Meraki is failing. But pings and

https traffic to other sites works. My first through to troubleshoot tomorrow will be to have a phone

that needs to be provisioned and do a packet capture to see what's going on during that attempted

provisioning. 

 

But it's been some months since I looked at firewall looking. Is it possible to view all conversations allowed through the MX for a time period? I went to Sec & SD WAN/Security Center and selected all dispositions allowed or not. I started to enter the IP address of the provisioning server at RC 199.255.120.237 and the search box suggested I really wanted was remote_ip:199.255.120.237. Ok good enough. I hit enter and the time window is set to an overly generous 2 weeks. But still nothing shows up in the results. Am I searching for these conversations in the wrong place? 

 

Also a snapshot of the conversation is below. It looks like a phone 10.1.61.24 it trying to provision and the RC server is requesting a certificate 1.2TLS. Then the client ends up sending the cert but resending and resending. Any thought what's going on? Invalid certificate?

 

MerakiMed_0-1615437342907.png

 



Thank you.

0 Kudos
1 Accepted Solution
In response to MerakiMed
BrandonS
Kind of a big deal
‎Mar 10 2021 8:44 PM
‎Mar 10 2021 8:44 PM

Just a guess, but try whitelisting the client or toggling AMP and/or IPS/IDS and content filtering off to see if it changes.

- Ex community all-star (⌐⊙_⊙)

View solution in original post

0 Kudos
10 Replies 10
BrandonS
Kind of a big deal
‎Mar 10 2021 8:20 PM
‎Mar 10 2021 8:20 PM

I don't think you can find what you are looking for in the dashboard.

 

Remember ping does not work everywhere.  I can't ping pp.ringcentral.com either.  They must not allow it.  Having a phone and doing a packet capture should help you isolate the trouble quickly though.

 

 

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
MerakiMed
Getting noticed
‎Mar 10 2021 8:39 PM
‎Mar 10 2021 8:39 PM

Thanks much. I pasted a screen grab of the pcap of a phone that's trying to provision in the original question. 

0 Kudos
In response to MerakiMed
BrandonS
Kind of a big deal
‎Mar 10 2021 8:44 PM
‎Mar 10 2021 8:44 PM

Just a guess, but try whitelisting the client or toggling AMP and/or IPS/IDS and content filtering off to see if it changes.

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to BrandonS
MerakiMed
Getting noticed
‎Mar 10 2021 8:53 PM
‎Mar 10 2021 8:53 PM

In Content Filtering I went to the Allow URL and added pp.ringcentral.com. The next time I did a packet capture for that phone it showed registered 200 OK. Good call! 

So two add on questions - why could I not see this blocked traffic in Security Center? And I wonder why/how the content filtering changed such as to put the kybosh on my phones provisioning.

0 Kudos
In response to MerakiMed
ww
Kind of a big deal
Kind of a big deal
‎Mar 10 2021 11:39 PM
‎Mar 10 2021 11:39 PM

Security center only reports ids/ips  and amp.   

Content filter is in the event log

In response to ww
MerakiMed
Getting noticed
‎Mar 11 2021 6:23 AM
‎Mar 11 2021 6:23 AM

Thanks for pointing that out. So I went and searched in Event Log and..

 

1) It appears I can't search based on the URI destination. 
2) I searched based on the client IP of the phone and nothing shows up there.

3) I went back and searched Security Center once more but by client IP. Nothing. 

II may just need to open a ticket to find out why the filtering started on an ostensibly allowed 

category and why the traffic denied or allowed is only visible if I run a pcap but not in 

event log or security center.

0 Kudos
In response to MerakiMed
BrandonS
Kind of a big deal
‎Mar 11 2021 8:59 AM
‎Mar 11 2021 8:59 AM

Definitely take this up with support.  Both for not seeing anything in any logs and also why did it block that URL at all?  It seems in a legit category that I assume you were not actively blocking?  Or were you?

 

Screen Shot 2021-03-11 at 8.56.27 AM.png

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to BrandonS
MerakiMed
Getting noticed
‎Mar 11 2021 9:01 AM
‎Mar 11 2021 9:01 AM

Nope - definitely not blocking. I starting thinking blocking based on the retransmits. 

Today I found that the phones still aren't provisioning. So I'm not sure why the pcaps changed last night. 
I was doing it all remotely and couldn't corroborate what was happening with the phones themselves. 

 

 

0 Kudos
In response to BrandonS
MerakiMed
Getting noticed
‎Mar 11 2021 8:37 PM
‎Mar 11 2021 8:37 PM

The end of the mystery appears to be in the treatment of traffic nearing pp.ringcentral.com from the external IP of the MX67 which is provided by Comcast. And the issue may involve multiple sites as we use Comcast a lot. I'll ask a troubleshooting specific to this kind of suspected asymmetric traffic problem. I've dealt with a couple in the past but man it's time consuming and frustrating.

0 Kudos
BeckerIT
Here to help
‎Mar 11 2021 6:31 AM
‎Mar 11 2021 6:31 AM

Here's a document link, I found helpful when my company was switching over to RingCentral and ran into similar provisioning issues.

 

https://support.ringcentral.com/article/9233.html#8.6.3.WhitelistDomains

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.