[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Secure Yealink - stability?
Author Message
blind_oracle Offline
Junior Member
**

Posts: 4
Joined: May 2015
Reputation: 0
Post: #1
Secure Yealink - stability?
I've got a need to setup secure VoIP system:
1. 802.1x PEAP
2. Configuration encryption
3. TLS
4. SRTP

Phones: T22P, T28P, W52P, T38G, T46G
Testing on T22P with localized fw 7.72.14.6 and global 7.73.0.50

PBX is Asterisk 11.15

I've got it all working, but have stability/speed problems:

1. The phone using SIP TLS is, from time to time, not reachable and not able to make calls. It recovers shortly by itself. From Asterisk the phone apeears UNREACHABLE and the REACHABLE again. And it flaps here and there all the time:
Code:
[May 26 12:45:02] VERBOSE[29264] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:3120
[May 26 12:45:02] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (78ms / 2000ms)
[May 26 12:49:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 94
[May 26 12:49:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 12:54:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 99
[May 26 12:54:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (83ms / 2000ms)
[May 26 12:59:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 95
[May 26 12:59:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (86ms / 2000ms)
[May 26 13:02:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 80
[May 26 13:02:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (92ms / 2000ms)
[May 26 13:06:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 97
[May 26 13:06:58] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (114ms / 2000ms)
[May 26 13:13:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 90
[May 26 13:13:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (71ms / 2000ms)
[May 26 13:20:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 81
[May 26 13:20:45] VERBOSE[30199] chan_sip.c:     -- Registered SIP '1699' at 10.1.33.163:2660
[May 26 13:20:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 13:22:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 79
[May 26 13:23:41] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (84ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Lagged. (3554ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (188ms / 2000ms)
[May 26 13:27:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE!  Last qualify: 72
[May 26 13:28:42] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (73ms / 2000ms)

In the phone's logs there's nothing quite interesting, some TLS errors from time to time:
Code:
May 26 10:08:46 LIBD[352]: DCMN<3+error > SSL_connect select(read) error (Resource temporarily unavailable)
May 26 10:08:46 LIBD[352]: HTTP<3+error > Connect Error
May 26 10:08:46 ATP [352]: ATP <3+error > https to file failed, code = -3, msg = Connect Failed, retry = 1

2. Phone takes almost 5 minutes to download stuff from HTTPS server. It downloads 5 XML phonebooks (total size around 50k), firmware, dialnow, certificates, config. Here's the server's log for the bootup:
Code:
[26/May/2015:14:47:46 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:08 +0300] "GET /yealink/phonebooks/phonebook_a.xml HTTP/1.1" 200 13265 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:10 +0300] "GET /yealink/phonebooks/phonebook_b.xml HTTP/1.1" 200 391 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:16 +0300] "GET /yealink/phonebooks/phonebook_c.xml HTTP/1.1" 200 25620 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:31 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:32 +0300] "GET /yealink/phonebooks/phonebook_d.xml HTTP/1.1" 200 11529 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:52 +0300] "GET /yealink/phonebooks/phonebook_e.xml HTTP/1.1" 200 5940 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:54 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:49:49 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:00 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:10 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:22 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:33 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:44 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:56 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:07 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:19 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:30 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:16 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:27 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:38 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"

It's not a problem by itself, but there seems to be a problem with phone's performance.

Is there anything i can do to make it send and receive calls stable?
Maybe some tweaks needed? Phone's syslog attached.

P.S.
The certificates are usual 2048-bit SHA1, so it shouldn't be too hard for the phone's CPU to handle them.


Attached File(s)
.tar  syslog (2).tar (Size: 65.5 KB / Downloads: 1)
(This post was last modified: 05-26-2015 09:49 PM by blind_oracle.)
05-26-2015 07:39 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 2
Post: #2
RE: Secure Yealink - stability?
Hi,
Thanks for your information.
1. Yes, Yealink phone can support 2048-bit SHA1
2. For the TLS issue, do you mena after register the account 1699 by TLS, it sometimes can't make or receive the call ? how often the issue happen ?
and how many phones you have ? all have the same issue ?
please provide us config.bin file, pcap trace and level 6 syslog for debug.

3. Phone takes almost 5 minutes to download stuff from HTTPS server, the speed is decided by the currently network as well and it include the firmware download and also it exist the not-existing file .please help check the network speed as well.
Best Regards!
Flora
05-26-2015 10:22 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
blind_oracle Offline
Junior Member
**

Posts: 4
Joined: May 2015
Reputation: 0
Post: #3
RE: Secure Yealink - stability?
2. Yes, Asterisk PBX sends OPTIONS requests to the phone from time to time (every 60 sec) to check if it's alive.
When using TLS, the phone fails to respond this request in time, so the PBX marks it as UNREACHABLE.
How often is visible from the logs in my initial message - it is marked UNREACHABLE every several minutes.

When using UDP this problem does not occur - we have around 300 phones (95% of them are T22P) and they work fine through UDP.
I'm testing on two phones T22P with different firmware (as stated in my initial message), both have the issue.

If i disable phone testing on PBX (qualify=no in sip.conf) the phone is marked UNMONITORED, and the problem still persists - it cannot send or receive calls or does this very slowly.
Sometimes when i hang up caller's phone the phone that i am calling (with TLS enabled) is still ringing anyway.

3. When using HTTP (without TLS) it boots very quickly, so the network is not involed, as does not HTTPS server - it's very resourceful and can serve a lot of clients. Other HTTPS clients show normal speed, just Yealink phones are slow.

I've sent you an email through forum with requested files.
05-27-2015 04:23 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 2
Post: #4
RE: Secure Yealink - stability?
Thanks , reply through the email .
Best Regards!
Flora
05-27-2015 10:30 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Nathaniel Offline
Junior Member
**

Posts: 2
Joined: Apr 2015
Reputation: 0
Post: #5
RE: Secure Yealink - stability?
Did you get a resolution to this?

Ive encountered a very similar thing with the T19 phones randomly dropping TLS registration with the PBX, a reboot temporary resolves, but using TCP protocol for registration never drops.
06-09-2015 04:11 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 2
Post: #6
RE: Secure Yealink - stability?
Hi Nathaniel ,
For the TLS issue, please help us confirm below items :
1. How often the issue happen ?
2. How many phones you have? all have the same issue ?
3. please help provide us config.bin file , pcap trace and level 6 syslog for dedug, please export the log to the server side that we can help a full syslog.
http://forum.yealink.com/forum/showthread.php?tid=1319
Best Regards!
Flora
06-10-2015 04:14 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Question 3CX / Yealink passthrough VLAN issue (when phone is rebooted) maindriver 4 6,947 03-24-2022 10:25 PM
Last Post: maindriver
  Configuring OPENVPN with Yealink Commensus 0 586 02-23-2022 09:45 PM
Last Post: Commensus
  Yealink C920 password issue DaveK 3 7,853 09-11-2020 12:02 PM
Last Post: complex1
  Modern Yealink Phonebook Generation Tool rgranholm 2 7,573 04-30-2020 09:03 PM
Last Post: rgranholm
  Multicast / Paging / Intercom - Yealink T58 Ryandh 20 46,359 04-30-2020 03:23 PM
Last Post: Chris708
  Disable TLS 1.0 and less secure Cipher Suites esachs4 1 4,319 10-07-2019 10:38 AM
Last Post: complex1
  YEALINK AUTO PROVISION Dmitryche 1 4,457 08-09-2019 09:25 AM
Last Post: Paz_Yealink
  Yealink Dialplan Alain 0 3,844 09-19-2018 05:10 PM
Last Post: Alain
  Yealink T48S displays message "No service" David K L 1 6,828 04-17-2018 03:39 AM
Last Post: Paul_Yealink
  Yealink Dial Plan RobertCrawford 8 16,462 03-09-2018 06:38 AM
Last Post: Johnny88

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication