Secure Yealink - stability? - Printable Version

Secure Yealink - stability? - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Configuration (/forumdisplay.php?fid=24)
+--- Thread: Secure Yealink - stability? (/showthread.php?tid=3867)

Secure Yealink - stability? - blind_oracle - 05-26-2015 07:39 PM

I've got a need to setup secure VoIP system:
1. 802.1x PEAP
2. Configuration encryption
3. TLS
4. SRTP

Phones: T22P, T28P, W52P, T38G, T46G
Testing on T22P with localized fw 7.72.14.6 and global 7.73.0.50

PBX is Asterisk 11.15

I've got it all working, but have stability/speed problems:

1. The phone using SIP TLS is, from time to time, not reachable and not able to make calls. It recovers shortly by itself. From Asterisk the phone apeears UNREACHABLE and the REACHABLE again. And it flaps here and there all the time:

Code:

[May 26 12:45:02] VERBOSE[29264] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:3120

[May 26 12:45:02] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (78ms / 2000ms)

[May 26 12:49:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 94

[May 26 12:49:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)

[May 26 12:54:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 99

[May 26 12:54:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (83ms / 2000ms)

[May 26 12:59:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 95

[May 26 12:59:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (86ms / 2000ms)

[May 26 13:02:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 80

[May 26 13:02:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (92ms / 2000ms)

[May 26 13:06:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 97

[May 26 13:06:58] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (114ms / 2000ms)

[May 26 13:13:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 90

[May 26 13:13:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (71ms / 2000ms)

[May 26 13:20:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 81

[May 26 13:20:45] VERBOSE[30199] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:2660

[May 26 13:20:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)

[May 26 13:22:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 79

[May 26 13:23:41] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (84ms / 2000ms)

[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Lagged. (3554ms / 2000ms)

[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (188ms / 2000ms)

[May 26 13:27:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 72

[May 26 13:28:42] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (73ms / 2000ms)

In the phone's logs there's nothing quite interesting, some TLS errors from time to time:

Code:

May 26 10:08:46 LIBD[352]: DCMN<3+error > SSL_connect select(read) error (Resource temporarily unavailable)

May 26 10:08:46 LIBD[352]: HTTP<3+error > Connect Error

May 26 10:08:46 ATP [352]: ATP <3+error > https to file failed, code = -3, msg = Connect Failed, retry = 1

2. Phone takes almost 5 minutes to download stuff from HTTPS server. It downloads 5 XML phonebooks (total size around 50k), firmware, dialnow, certificates, config. Here's the server's log for the bootup:

Code:

[26/May/2015:14:47:46 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:08 +0300] "GET /yealink/phonebooks/phonebook_a.xml HTTP/1.1" 200 13265 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:10 +0300] "GET /yealink/phonebooks/phonebook_b.xml HTTP/1.1" 200 391 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:16 +0300] "GET /yealink/phonebooks/phonebook_c.xml HTTP/1.1" 200 25620 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:31 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:32 +0300] "GET /yealink/phonebooks/phonebook_d.xml HTTP/1.1" 200 11529 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:52 +0300] "GET /yealink/phonebooks/phonebook_e.xml HTTP/1.1" 200 5940 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:48:54 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:49:49 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:00 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:10 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:22 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:33 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:44 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:50:56 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:51:07 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:51:19 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:51:30 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:52:16 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:52:27 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

[26/May/2015:14:52:38 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

It's not a problem by itself, but there seems to be a problem with phone's performance.

Is there anything i can do to make it send and receive calls stable?
Maybe some tweaks needed? Phone's syslog attached.

P.S.
The certificates are usual 2048-bit SHA1, so it shouldn't be too hard for the phone's CPU to handle them.

RE: Secure Yealink - stability? - Flora_Yealink - 05-26-2015 10:22 PM

Hi,
Thanks for your information.
1. Yes, Yealink phone can support 2048-bit SHA1
2. For the TLS issue, do you mena after register the account 1699 by TLS, it sometimes can't make or receive the call ? how often the issue happen ?
and how many phones you have ? all have the same issue ?
please provide us config.bin file, pcap trace and level 6 syslog for debug.

3. Phone takes almost 5 minutes to download stuff from HTTPS server, the speed is decided by the currently network as well and it include the firmware download and also it exist the not-existing file .please help check the network speed as well.
Best Regards!
Flora

RE: Secure Yealink - stability? - blind_oracle - 05-27-2015 04:23 PM

2. Yes, Asterisk PBX sends OPTIONS requests to the phone from time to time (every 60 sec) to check if it's alive.
When using TLS, the phone fails to respond this request in time, so the PBX marks it as UNREACHABLE.
How often is visible from the logs in my initial message - it is marked UNREACHABLE every several minutes.

When using UDP this problem does not occur - we have around 300 phones (95% of them are T22P) and they work fine through UDP.
I'm testing on two phones T22P with different firmware (as stated in my initial message), both have the issue.

If i disable phone testing on PBX (qualify=no in sip.conf) the phone is marked UNMONITORED, and the problem still persists - it cannot send or receive calls or does this very slowly.
Sometimes when i hang up caller's phone the phone that i am calling (with TLS enabled) is still ringing anyway.

3. When using HTTP (without TLS) it boots very quickly, so the network is not involed, as does not HTTPS server - it's very resourceful and can serve a lot of clients. Other HTTPS clients show normal speed, just Yealink phones are slow.

I've sent you an email through forum with requested files.

RE: Secure Yealink - stability? - Flora_Yealink - 05-27-2015 10:30 PM

Thanks , reply through the email .
Best Regards!
Flora

RE: Secure Yealink - stability? - Nathaniel - 06-09-2015 04:11 PM

Did you get a resolution to this?

Ive encountered a very similar thing with the T19 phones randomly dropping TLS registration with the PBX, a reboot temporary resolves, but using TCP protocol for registration never drops.

RE: Secure Yealink - stability? - Flora_Yealink - 06-10-2015 04:14 AM

Hi Nathaniel ,
For the TLS issue, please help us confirm below items :
1. How often the issue happen ?
2. How many phones you have? all have the same issue ?
3. please help provide us config.bin file , pcap trace and level 6 syslog for dedug, please export the log to the server side that we can help a full syslog.
http://forum.yealink.com/forum/showthread.php?tid=1319
Best Regards!
Flora