[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Secure Yealink - stability?
Author Message
blind_oracle Offline
Junior Member
**

Posts: 4
Joined: May 2015
Reputation: 0
Post: #1
Secure Yealink - stability?
I've got a need to setup secure VoIP system:
1. 802.1x PEAP
2. Configuration encryption
3. TLS
4. SRTP

Phones: T22P, T28P, W52P, T38G, T46G
Testing on T22P with localized fw 7.72.14.6 and global 7.73.0.50

PBX is Asterisk 11.15

I've got it all working, but have stability/speed problems:

1. The phone using SIP TLS is, from time to time, not reachable and not able to make calls. It recovers shortly by itself. From Asterisk the phone apeears UNREACHABLE and the REACHABLE again. And it flaps here and there all the time:
Code:
[May 26 12:45:02] VERBOSE[29264] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:3120
[May 26 12:45:02] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (78ms / 2000ms)
[May 26 12:49:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 94
[May 26 12:49:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 12:54:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 99
[May 26 12:54:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (83ms / 2000ms)
[May 26 12:59:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 95
[May 26 12:59:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (86ms / 2000ms)
[May 26 13:02:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 80
[May 26 13:02:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (92ms / 2000ms)
[May 26 13:06:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 97
[May 26 13:06:58] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (114ms / 2000ms)
[May 26 13:13:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 90
[May 26 13:13:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (71ms / 2000ms)
[May 26 13:20:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 81
[May 26 13:20:45] VERBOSE[30199] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:2660
[May 26 13:20:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 13:22:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 79
[May 26 13:23:41] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (84ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Lagged. (3554ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (188ms / 2000ms)
[May 26 13:27:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 72
[May 26 13:28:42] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (73ms / 2000ms)

In the phone's logs there's nothing quite interesting, some TLS errors from time to time:
Code:
May 26 10:08:46 LIBD[352]: DCMN<3+error > SSL_connect select(read) error (Resource temporarily unavailable)
May 26 10:08:46 LIBD[352]: HTTP<3+error > Connect Error
May 26 10:08:46 ATP [352]: ATP <3+error > https to file failed, code = -3, msg = Connect Failed, retry = 1

2. Phone takes almost 5 minutes to download stuff from HTTPS server. It downloads 5 XML phonebooks (total size around 50k), firmware, dialnow, certificates, config. Here's the server's log for the bootup:
Code:
[26/May/2015:14:47:46 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:08 +0300] "GET /yealink/phonebooks/phonebook_a.xml HTTP/1.1" 200 13265 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:10 +0300] "GET /yealink/phonebooks/phonebook_b.xml HTTP/1.1" 200 391 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:16 +0300] "GET /yealink/phonebooks/phonebook_c.xml HTTP/1.1" 200 25620 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:31 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:32 +0300] "GET /yealink/phonebooks/phonebook_d.xml HTTP/1.1" 200 11529 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:52 +0300] "GET /yealink/phonebooks/phonebook_e.xml HTTP/1.1" 200 5940 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:54 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:49:49 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:00 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:10 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:22 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:33 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:44 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:56 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:07 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:19 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:30 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:16 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:27 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:38 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

It's not a problem by itself, but there seems to be a problem with phone's performance.

Is there anything i can do to make it send and receive calls stable?
Maybe some tweaks needed? Phone's syslog attached.

P.S.
The certificates are usual 2048-bit SHA1, so it shouldn't be too hard for the phone's CPU to handle them.


Attached File(s)
.tar  syslog (2).tar (Size: 65.5 KB / Downloads: 1)
(This post was last modified: 05-26-2015 09:49 PM by blind_oracle.)
05-26-2015 07:39 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #2
RE: Secure Yealink - stability?
Hi,
Thanks for your information.
1. Yes, Yealink phone can support 2048-bit SHA1
2. For the TLS issue, do you mena after register the account 1699 by TLS, it sometimes can't make or receive the call ? how often the issue happen ?
and how many phones you have ? all have the same issue ?
please provide us config.bin file, pcap trace and level 6 syslog for debug.

3. Phone takes almost 5 minutes to download stuff from HTTPS server, the speed is decided by the currently network as well and it include the firmware download and also it exist the not-existing file .please help check the network speed as well.
Best Regards!
Flora
05-26-2015 10:22 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
blind_oracle Offline
Junior Member
**

Posts: 4
Joined: May 2015
Reputation: 0
Post: #3
RE: Secure Yealink - stability?
2. Yes, Asterisk PBX sends OPTIONS requests to the phone from time to time (every 60 sec) to check if it's alive.
When using TLS, the phone fails to respond this request in time, so the PBX marks it as UNREACHABLE.
How often is visible from the logs in my initial message - it is marked UNREACHABLE every several minutes.

When using UDP this problem does not occur - we have around 300 phones (95% of them are T22P) and they work fine through UDP.
I'm testing on two phones T22P with different firmware (as stated in my initial message), both have the issue.

If i disable phone testing on PBX (qualify=no in sip.conf) the phone is marked UNMONITORED, and the problem still persists - it cannot send or receive calls or does this very slowly.
Sometimes when i hang up caller's phone the phone that i am calling (with TLS enabled) is still ringing anyway.

3. When using HTTP (without TLS) it boots very quickly, so the network is not involed, as does not HTTPS server - it's very resourceful and can serve a lot of clients. Other HTTPS clients show normal speed, just Yealink phones are slow.

I've sent you an email through forum with requested files.
05-27-2015 04:23 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #4
RE: Secure Yealink - stability?
Thanks , reply through the email .
Best Regards!
Flora
05-27-2015 10:30 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Nathaniel Offline
Junior Member
**

Posts: 2
Joined: Apr 2015
Reputation: 0
Post: #5
RE: Secure Yealink - stability?
Did you get a resolution to this?

Ive encountered a very similar thing with the T19 phones randomly dropping TLS registration with the PBX, a reboot temporary resolves, but using TCP protocol for registration never drops.
06-09-2015 04:11 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #6
RE: Secure Yealink - stability?
Hi Nathaniel ,
For the TLS issue, please help us confirm below items :
1. How often the issue happen ?
2. How many phones you have? all have the same issue ?
3. please help provide us config.bin file , pcap trace and level 6 syslog for dedug, please export the log to the server side that we can help a full syslog.
http://forum.yealink.com/forum/showthread.php?tid=1319
Best Regards!
Flora
06-10-2015 04:14 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Yealink T28 setup audible ring on 2nd incoming call JeffWilkinson 20 86,311 10-18-2023 12:59 PM
Last Post: sles
  keypad sequence for Forward & DND with Yealink W70B Base kargah 0 1,203 04-18-2023 10:07 PM
Last Post: kargah
  Yealink T27P -Incoming call issue rsarceno 0 1,243 01-25-2023 08:54 AM
Last Post: rsarceno
  Yealink T19 can not automatically hangup inbound calls giaopc94 0 1,631 08-01-2022 09:28 AM
Last Post: giaopc94
Question 3CX / Yealink passthrough VLAN issue (when phone is rebooted) maindriver 4 11,582 03-24-2022 10:25 PM
Last Post: maindriver
  Configuring OPENVPN with Yealink Commensus 0 2,476 02-23-2022 09:45 PM
Last Post: Commensus
  Yealink C920 password issue DaveK 3 11,749 09-11-2020 12:02 PM
Last Post: complex1
  Modern Yealink Phonebook Generation Tool rgranholm 2 10,685 04-30-2020 09:03 PM
Last Post: rgranholm
  Multicast / Paging / Intercom - Yealink T58 Ryandh 20 62,029 04-30-2020 03:23 PM
Last Post: Chris708
  Disable TLS 1.0 and less secure Cipher Suites esachs4 1 7,028 10-07-2019 10:38 AM
Last Post: complex1

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication