31
17.1 Legacy Series / device not pinging when accessed from opnsense box
« on: March 17, 2017, 09:00:55 pm »
I got a pretty simple reproducible case.
1) opnsense box is at 192.168.1.2
2) connected to a swtich, which holds a cisco voip phone with DHCP/IP set on the opnsense to always be 192.168.1.82
3) The cisco phone cannot make the vpn connection, unless an out-NAT rule is added, that is working fine.
4) upon ISP outage, the opnsense, re-establishes internet connection, HOWEVER, the cisco voip fails to re-connect/authenticate despite the fact that a) it was running days before that w/o any issues, and b) all network is restored to all other devices c) the outbound NAT rule is in place.
5) I've debugged that for few months, and narrowed the issue to the fact that the opnsense box (192.168.1.2) cannot PING the cisco phone 192.168.1.82, after such outage, despite the fact that OTHER machines on the same switch can ping the cisco's IP just fine, before, and after outage.. Also, the 192.168.1.82 IP is marked as allocated to the cisco phone, and 'arp' output on the opnsense and another random PC agree on the cisco's MAC address, e.g. opnsense:
From random PC that can ping it:
6) The "workaround" of course is to reboot the cisco voip, and then it works fine, however, that was not the case with my prior (hiding: tomato) firmware..
Is there any chance someone can help debug this? why is the ping working for the random PC, yet it does not for the opnsense box, which i suspect is the reason for the failure of the cisco phone to build the vpn tunnel..
Appreciate any tips.
Stormy.
1) opnsense box is at 192.168.1.2
2) connected to a swtich, which holds a cisco voip phone with DHCP/IP set on the opnsense to always be 192.168.1.82
3) The cisco phone cannot make the vpn connection, unless an out-NAT rule is added, that is working fine.
4) upon ISP outage, the opnsense, re-establishes internet connection, HOWEVER, the cisco voip fails to re-connect/authenticate despite the fact that a) it was running days before that w/o any issues, and b) all network is restored to all other devices c) the outbound NAT rule is in place.
5) I've debugged that for few months, and narrowed the issue to the fact that the opnsense box (192.168.1.2) cannot PING the cisco phone 192.168.1.82, after such outage, despite the fact that OTHER machines on the same switch can ping the cisco's IP just fine, before, and after outage.. Also, the 192.168.1.82 IP is marked as allocated to the cisco phone, and 'arp' output on the opnsense and another random PC agree on the cisco's MAC address, e.g. opnsense:
Code: [Select]
? (192.168.1.82) at 08:cc:68:xx:xx:xx on bridge0 expires in 1176 seconds [bridge]
?
From random PC that can ping it:
Code: [Select]
192.168.1.82 08-cc-68-xx-xx-xx dynamic
6) The "workaround" of course is to reboot the cisco voip, and then it works fine, however, that was not the case with my prior (hiding: tomato) firmware..
Is there any chance someone can help debug this? why is the ping working for the random PC, yet it does not for the opnsense box, which i suspect is the reason for the failure of the cisco phone to build the vpn tunnel..
Appreciate any tips.
Stormy.