Avaya                 README.TXT               June 2007

_______________________________________________________________

                       

     Avaya VPNremote Telephone Release Notes

 

 

This file provides product information for the Avaya VPNremote Phone.

The software bundle will include the following:

 

H323_VPN_232_4 is the English version

H323_VPN_232_4_ch_ru is the Chinese / Russian version 

H323_VPN_232_4_ja_ru is the  Japanese / Russian version

 

 

The following topics are covered:

 

Section I:  New Features

Section II: System Requirements

Section III:Improvements and Fixes 

Section IV: Known Issues and Workarounds

Section V:  Helpful Hints

Section VI: Contacting Avaya Technical Support

Appendix A: Supported Hardware

 

______________________________________________________________

 

Section I:  New Features in VPNremote Telephone 

______________________________________________________________

 

VPNphone delivers the next generation of secure remote 

IP telephony. VPNphone provides secure Voice over IP for

both local and remote users with a stand alone IP telephone.

 

For VoIP, it allows users to use the same phone number, 

irrespective of the location. 

 

New Functionality includes:

 

1. Support for Nortel Contivity and Checkpoint/Nokia VPN devices

2. Support for Certificate based VPNs

3. Qtest enhancements

      1. Allows to receive calls while running

      2. Allows for a backend server for Qtest responder

      3. Allows for a Qtest server on Corporate Network to initiate Qtest

4. WebLM License support removed

5. VPN MIB support

6. Single 46vpnsettings_template.txt for easy modification.

7. New VPNremote phone self Installer

 

_______________________________________________________________

 

Section II:  System requirements

_______________________________________________________________

 

1. IP Telephone models 4610, 4620, 4621, 4622 and 4625

2. Security Gateway

Firmware version 4.6.22 or above

3. Cisco VPN 3000 Series Concentrators 

4. Cisco PIX 500 Series Security Appliances 

5. Netscreen/Juniper NS series VPN Devices 

Screen OS 5.1.0 or above 

6. Netscreen/Juniper SSG Series VPN Devices 

Screen OS 5.1.0 or above 

7. Netscreen/Juniper ISG Series VPN Devices 

Screen OS 5.1.0 or above 

8. Checkpoint VPN-1

9. Nortel Contivity

 

_______________________________________________________________

Section III:  Fixes and improvements

_______________________________________________________________

 

 

1. Resolved issue of IP Telephone log stored in flash in the

   wrong chronological order. Reference# 8732

 

2. Resolved issue of Authentication error are observed in the

   middle of call. Reference# 8736

 

3. Resolved issue of No screen display for the following combination

   VPN Start mode (BOOT) & 46xxsetting.txt - ACTIVATEVPN 0 and

   ALLOWSTOPVPN 1. Reference# 8739

 

4. Resolved issue with outgoing packets IPSec packets were being

   processed twice affecting Ethernet headers if 802.1Q tagging was

   turned ON. Reference# 8737.

 

5. Resolved issue where VPNphone was not able to access and display

   Web screens when the VPN tunnel was active. Reference# 8845.

 

6. Resolved issue when the phone is off-hook, the top line does not

   display the time or the no-encryption icon on the screen.

   Reference # 8654

 

7. Resolved the issue during a VPN connection, when the Edit softkey

   was pressed, the phone was displaying "Please Wait" for an extended

   time. Reference# 8847.

 

8. Resolved issue where phone would reboot when phone application

   reported loss of connectivity with CLAN when the VPN tunnel was 

   still active. reference # 8942

 

9. Resolved memory leak issue when syslogging was active.

   Reference # 8917.

 

4. Resolved issue If edit is selected during connection process, then

   cancel is selected, the retry connection intermittently fails.

   Reference 8865

 

 

________________________________________________________________

 

Section IV:  Known Issues and Workarounds

________________________________________________________________

 

1. VPNPhone crashes when ping size is from phone console is 1992

   or larger. Refernece # 8680

 

   Work around: Use ping size below 1992.

 

2. HTTP Download of BigApp fails if Path MTU discovery is enabled.

   Reference # 8730.

 

   Work around: None

 

3. When token authentication is used and the network connectivity

   check fails, the VPNphone tries to re-authenticate with same 

   passcode instead of prompting for new passcode. Reference # 8840.

 

   Work around: Restart phone.

 

4. When the phone is rebooted, the VPN Start up mode of On Demand is

   Is disabled preventing the phone from switching between h323 mode and

   VPN mode. Reference # 8930

 

   Work around: Configure the VPN Start mode from the settings file using

   The command set NVVPNMODE 3.

 

5. VPNremote phone does not work with Security Gateway when ACE Next Tokencode

   mode occurs. Reference # 8906.

 

   Work around: Do not use Next Tokencode mode.

 

6. VPNremote phone fails to receive a DHCP response from a Linksys WCG200.

   Reference # 8982.

 

   Work around: Statically configure phone.

7. VPNremote phone fails to register when there are two NAT devices between the 

   Phone and the gateway. Reference# 9121.

 

   Work around: None

 

8. UDP encapsulation on the VPNremote phone does not function with Checkpoint software

   series. Reference# 9110.

 

   Work around: Disable UDP encapsulation.

 

9. VPNphone fails to re-authenticate when Next Token Code is Enabled on RSA Server 6.1

   This is a vendor side issue. Reference# 9005

 

   Work around: None

 

10. Checkpoint IP address default lease duration is set to 15 minutes. This lease time 

    Must be set to match the IKE phase 1 lifetime value. 

 

    Work around: None

 

11. Default Cisco PIX config mode setting is None, this setting must be set to Initiate,

    Respond or Initiate and Respond.

 

    Work around: None

 

12. When using HTTP for upgrading the VPNremote Phone software 232_3 to the latest

    release 232_4, the upgrade fails causing the phone to lose the VPN software.

 

    Work around: Use a TFTP server for all remotely deployed phones.

 

 

________________________________________________________________

Section V:  Helpful Hints

________________________________________________________________

 

-  When VPNphone is in a problem state, document all error 

   messages displayed on screen.

 

-  View VPN status by selecting the Options button.

 

- Most often used phone commands

 

  - mute vpnnmod# (VPN Configuration)

  - mute QOS# (QoS Configuration)

  - mute log# (Syslog, logging level)

  - mute addr# (same as * to program.)

 

- Defined IP telephone models listed in the "Supported Hardware"

  section can be converted to VPNphones by upgrading the phones

  with the VPNphone software through the normal TFTP server by

  following the documented conversion process.

 

- Multiple VPN phones using the same User ID can not connect to the same central

  Site Security Gateway. Each VPNremote phone must connect to different Security

  Gateways to prevent conflicts.  

 

- Converting non-VPN H.323 Phones to VPN Capable H.323 Phones

 

All supported 46XXSW IP telephones shipped from factory are pre-loaded with

non-VPN H.323 code. The following steps provide a step-by-step procedure

for loading a factory-fresh or previously used non-VPN H.323 set

with VPN Capable H323 code.

 

To convert from non-VPN H.323 image to VPN capable H.323 image, the

provisioning environment must be set in advance. In other words, it is 

suggested the firmware should be loaded into your phone from within your

local network prior to taking the VPN Phone home.  

 

Once an internal TFTP server has been setup to provide upgrades

to the supported H.323 46xxSWs phones with the 46xxupgrade.scr, the TFTP server

will provide the correct firmware upgrade.

 

Converting a group of non-VPN H.323 sets to VPN capable H.323 sets using

GROUP method.

 

Boot up your phone.  After the phone has completed booting, set the GROUP

of each phone which you want to upgrade to VPN capable H.323 to 876.

 

Press Mute 47687 #. This will invoke the local procedure to change the

GROUP of the phone. Enter 876# Use Page LEFT key to erase any typo error)

 

Press # to save

 

Get new Firmware Load:  Set your file server IP address to the correct

local TFTP file server.  Note that this IP address must be reachable on a

local network.

 

Press Mute 2337#

 

This will allow you to change addresses of the IP phone along with other

network settings. The is required to configure the TFTP server that will provide

the correct VPN firmware.

 

After the firmware has been loaded, the phone can be configured for the remote 

Network. If DHCP is used then set the phone IP address, gateway and mask to 0.0.0.0.

 

With the new firmware as you are configuring it with mute 2337#, the new VPN 

configuration menu will be seen. Please refer to the VPNremotePhone documentation

appendix B for more details.

 

 

- Manufacturer specific issues

This section highlights the known manufacturer specific issues which interfere with VPNremote phones functionality.

Cisco systems, Inc. VPN 3000 series concentrator

1.    Under Client FW tab of the VPNremote phone group No Firewall option must be selected for the attribute Firewall Setting.

2.    Under HW Client tab of the VPNremote phone group, all attributes must be left unchecked. 

3.    Under NAC tab of the VPNremote phone group Enable NAC must be left unchecked.

4.    Under IPsec tab of the VPNremote phone group, the value for attributeClient type & Version limiting must be left blank.

5.    VPNremote phones users will not be able to change password upon password expiry when using Radius with expiry.

Symptoms :

In case of 1,2,3 and 4 VPNremote phone will fail to complete phase 2.

In case of 5 authentication failure after password expiry.

 

Juniper/Netscreen 

1.    Security Gateway must be running Screen OS 5.1.0 or higher. 

2.    Disable H.323 ALG. 

3.    Disable shuffling on Call Server.

Symptoms : 

In case of 1 and 2 VPNremote phone will not encounter any errors during tunnel setup but will fail to register with the call server on 4620, 4621, 4622 and 4610 models and there will not be any dial tone on 4625 models.

In case of 3 two VPNremote phones will fail to establish talk path.

 

Nortel Contivity 

1.    Tunnelguard must be disabled

2.    Client minimum version must be set to None

3.    NAT Traversal must be enabled

4.    NAT Traversal set to Auto-Detect

 

 

 

Section VI:  Contacting Avaya Security Technical Support

_________________________________________________________________

 

 

Technical Support is available 24 hours a day, 7 days a week to 

support contract holders of Avaya Security products. Please use 

the following to contact Avaya support.

 

Avaya 

Technical Support Department

1001 Murphy Ranch Rd

Milpitas, CA 95035 USA

 

 

US:

 

Phone           +1-800-237-0016

E-mail          vpnsupport@avaya.com

Web             http://support.avaya.com

 

 

EMEA (Europe Middle East Africa) Email: 

csctechnical@avaya.com

 

AP (Asia Pacific) Email: 

sgcoe@avaya.com

 

CALA (Caribbean And Latin America) Email: 

caladatasupp@avaya.com

 

*Please go to the following internet website to obtain regional

EMEA, AP and CALA Avaya support contact numbers:

 

http://www.avayanetwork.com/site/GSO/default.htm

 

_____________________________________________________________

Appendix A.  Supported Hardware

_____________________________________________________________

 

VPNphone software supports the following IP telephones

 

-  4610sw, 

-  4620sw, 

-  4621sw, 

-  4622sw, 

-  4625sw,

