Michael McNamara

One typical problem that some users might encounter when using the Nortel VPN client is the “Checking for banner text” message. During the initial stage of connecting the Nortel VPN client will display the “Checking for banner text” message and then either become unresponsive or report to the user that the connection was lost.

Let me paraphrase from the Nortel documentation:

A common reason for the banner message to stop responding is a firewall or router, placed somewhere along the path from the remote computer to the gateway, which blocks ESP or Authentication Header (AH) traffic. The firewall can be a personal firewall installed on the remote computer, a firewall or router at the Internet Service Provider (ISP), or a corporate firewall. In this situation, IPsec Internet Security and Key Management Protocol (ISAKMP) traffic that negotiates the tunnel establishment goes through the tunnel, but the ESP- or AH-encapsulated traffic inside the tunnel does not get through. When the banner text is retrieved through the established tunnel, the banner message or other traffic secured by the ESP or AH never reaches the client and the Nortel VPN Client continues to wait for a response from the gateway until a timeout period is reached. To resolve this issue, ensure the following traffic is allowed to pass through the firewalls along the path:

UDP protocol (17) port 500, both inbound and outbound
ESP protocol (50), both inbound and outbound
AH protocol (51), both inbound and outbound

The same scenario occurs as in the previous section if Network Address Translation Transversal (NAT-T) is configured and the firewall blocks the UDP port selected for NAT-T along the path. To resolve this issue, you’ll need to ensure the port that is being utilized can pass through the firewalls on a personal, corporate, or ISP level. You’ll need to contact whomever is managing the VPN router to determine which UDP port you might need to open.

Cheers!

Welcome to the Contivity Secure IP Services Gateway
Copyright (c) 1999-2004 Nortel Networks, Inc.

Version:                 V05_00.136
Creation date:           Aug 20 2004, 15:50:15

Date:                    07/23/1980
Unit Serial Number:      11221

Please enter the administrator's user name: admin

Please enter the administrator's password:

Main Menu:  System is currently in NORMAL mode.
1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode       FALSE
7) Allow HTTP Management            TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes

Please select a menu choice (1 - 9,B,P,C,L,R,E):

The first step will be to configure the IP addressing for the private LAN and public WAN interfaces. Using the serial console select “L) Command Line Interface” from the menu options.

CES>

Upon entering the CLI environment the prompt will be changed to “CES>”. You must now enter privileged mode using the “enable” command entering the default admin password of “setup”.

CES>enable
Password: *********

Let’s take care of the easy stuff first. I’m currently working in the Eastern time zone;

CES#clock timezone est
CES#clock set 15:22:30 12 JANUARY 2005

You can discern from the syntax above that #clock set <hh:mm:ss> <day> <month> <year>
Now you must enter configuration mode using the commands listed below. We’ll reset the admin password before anything else.

CES#configure terminal
Enter configuration commands, one per line.  End with Ctrl/z.
CES(config)#
CES(config)#adminname admin password <standard password>

We’ll configure the private LAN IP Address. In the example below I’m using 10.2.203.1 as the LAN address of the branch office VPN router.

CES(config)#interface FastEthernet 0/1
CES(config-if)#ip address 10.2.203.1 255.255.255.0
CES(config-if)#exit

Next we’ll configure the MANAGEMENT IP Address. The LAN address and management IP address must be on the same subnet.

CES(config)#ip address 10.2.203.10
Management address set to 10.2.203.10 successfully !
Next, make sure Mgt addr and private LAN addr are on same subnet
CES(config)#

You should use the IP addressing that’s been assigned to the equipment your configuring in place of the IP addressing used above.  Next we’ll assign the public WAN IP Address provided by the Internet Service Provider (ISP) which in this case happens to be Verizon DSL;

CES(config)#interface FastEthernet 1/1
CES(config-if)#ip address 70.256.1.10 255.255.255.0
%Warning: The IP address type is changed from DHCP dynamic to static
CES(config-if)#exit
CES(config)#ip default-network 70.256.1.1 public
CES(config)#ip name-server 151.197.0.38 151.197.0.39 199.45.32.43

NOTE: FastEthernet 0/1 is the PRIVATE LAN while FastEthernet 1/1 is the PUBLIC WAN
Let’s disable those services we won’t be using and enable those we will be using;

CES(config)#no tunnel protocol pptp public
CES(config)#no tunnel protocol pptp private
CES(config)#no tunnel protocol l2tp public
CES(config)#no tunnel protocol l2tp private
CES(config)#ipsec encryption 3des-sha1
CES(config)#ipsec encryption aes256-sha1
CES(config)#no ipsec encryption aes128-sha1
CES(config)#no ipsec encryption des40-md5
CES(config)#no ipsec encryption des40-sha1
CES(config)#no ipsec encryption des56-md5
CES(config)#no ipsec encryption des56-sha1
CES(config)#no ipsec encryption hmac-md5
CES(config)#no ipsec encryption hmac-sha1

Let’s configure the “Base” default Branch Office Group with the standard settings.

CES(config)#bo-group ipsec /Base
CES(config-bo_group/ipsec)#encryption 3des-sha1
CES(config-bo_group/ipsec)#encryption ike 3des-group2
CES(config-bo_group/ipsec)#antireplay enable
CES(config-bo_group/ipsec)#no compress
CES(config-bo_group/ipsec)#initial-contact enable
CES(config-bo_group/ipsec)#exit

Let’s add a designator for the local network (to be used later – replace with your IP network)

CES(config)#network add LocalNetwork ip 10.2.203.0 mask 255.255.255.0

Let’s add a sub group for our IPsec tunnel configuration;

CES(config)#bo-group add /Base/AcmeHealth
CES(config)#bo-conn add Acme-1 /Base/AcmeHealth
CES(config)#bo-conn Acme-1 /Base/AcmeHealth
CES(config/bo_conn)#conn-type peer2peer
CES(config/bo_conn)#local-endpoint 70.256.1.10
CES(config/bo_conn)#remote-endpoint 192.1.1.124
CES(config/bo_conn)#tunnel-type ipsec
CES(config/bo_conn)#ipsec authentication text-pre-shared-key password987
CES(config/bo_conn)#routing type static
CES(config/bo_conn)#state enable
CES(config/bo_conn)#routing static
CES(config/bo_conn/routing_static)#local-network LocalNetwork
CES(config/bo_conn/routing_static)#remote-network 0.0.0.0 mask 0.0.0.0 state enable cost 1
CES(config/bo_conn/routing_static)#exit

Let’s setup the DHCP relay agent forwarding our DHCP/BOOTP requests to 10.2.16.40;

CES(config)#no service dhcp enable
CES(config)#ip default-network 70.20.130.1 public
CES(config)#ip dhcp-relay 10.2.203.1
CES(config)#ip dhcp-relay 10.2.203.1 enable
CES(config)#ip helper-address 10.2.203.1 server 1 10.2.16.40
CES(config)#ip forward-protocol dhcp-relay

Since we’re routing everything over the IPSec tunnel (the remote-network was 0.0.0.0 with a mask of 0.0.0.0) we need to change the default route preference.

CES(config)#ip default-route-preference private

That’s the short approach to using the CLI interface to configure the Nortel VPN Router. There is a somewhat old and slow web interface that you can also use to configure the VPN router. You only need to point a web browser to the mangement IP address.

Cheers!

Update: Wednesday December 10, 2008
Here’s the pinout for the special RJ45 to DB9 serial cable used to access the diskless VPN routers;

Cheers!

It was a challenge to understand all the different heartbeats, timeouts and protocols that were in play between the handset and the Nortel 2245 wireless gateway and ultimately the Nortel Succession Signaling Server. With any Nortel IP phone running a UNIStim protocol there is a watchdog timer on the phone that counts down from 200 seconds. The watchdog timer must be reset by a watchdog reset (heartbeat) message that gets sent out from the Nortel Succession Signaling Server. This watchdog reset gets sent every 30 seconds. If a handset, remember now any Nortel IP handset that is running a UNIStim protocol such as the i2002, i2004, 1120e, 1140e, 1150e, 2210, 2211, 6120 and 6140 misses too many of these heartbeats the phone will reset itself usually displaying the message “watchdog timeout” indicating that the watchdog timer has reached zero and the phone is attempting to recover from the problem by resetting itself. With the Nortel 2210, 2211, 6120 and 6140 you also have the SVP heartbeats and timeouts to worry about.

If you have some IP phones that are generating “watchdog timeout” message your probably loosing packets somewhere in your network. With that said I would advise anyone with such a problem to immediately contact their voice reseller and make sure their Succession Call Server and Signaling Server have the latest and greatest DEP (patches) list. Once that’s complete you’ll need to go about the task of isolating the possible locations where you could be dropping packets. If it’s a wired IP phone then the problem is much easier to troubleshoot and isolate. If it’s a wireless phone then you’ll have a few extra steps. You’ll obviously need to make sure that you have QoS (DiffServ) up and working within your environment and you’ll need to make sure that you have SVP support enabled on your wireless infrastructure. SpectraLink (recently acquired by Polycom) actually has a library of documents to help customers configure their wireless infrastructure properly to support the SpectraLink handsets.

Cheers!

Correction: August 19, 2008
The watch dog interval is actually 200 seconds long and not 120 seconds as originally posted.

Update: August 24, 2008
It would seem that this article has generated a lot of interest including several inquiries by Nortel. So I thought I would try to add some additional explanation to help more clearly describe the problems and experiences I’ve had the Nortel 2211 and 2210 wireless handsets. I won’t rewrite the original because I don’t think there is anything wrong with it, other than perhaps missing some attention to the specific details.

The Motorola WS5100 v3.x and RFS7000 v1.1 was technically broken for anyone using the Nortel 2211/2210/6120/6140 wireless handsets. The phones would often reset while idle, because of a buffering issue on the Motorola AP300 access port. These problems have been resolved (as far as my testing indicates) in the Motorola WS5100 v3.2 and RFS7000 v1.2 software release. Through our troubleshooting of this problem we learned a great deal about the Spectralink Voice Priority protocol and the UNIStim protocol. In short the Nortel wireless handsets will go into PSP (Power Save Polling) for approximately 1.5 seconds, during that time the wireless handset turns off it’s radio to help save power and preserve the battery life. The problem occurs while the phone is idle because of the PSP mode, this is why no problems are ever reported while the phone is off-hook and actively being used. While the wireless handset is in PSP mode the wireless network is responsible for buffering any packets that are sent to the handset. The SVP protocol and UNIStim protocol can generate a lot of packets causing the wireless network to discard some packets while the phone is in PSP mode. These discarded packets can, depending entirely on the timing, cause the phone to either reset or the phone to be unregistered from the Succession Signaling server.

I’ve been asked by quite a few people what can be done to help alleviate any potential issues?

• The wireless infrastructure should be configured to support the SVP protocol
• QoS (DiffServ) should be set to “Trusted” on every Ethernet switch port that will be used to connect the different equipment (Succession Signaling Server, Succession Voice Gateway Media Card, 2245, wireless infrastructure)
• Design the wireless infrastructure so there is at least -60 dB of signal available and no more than 7 wireless handsets connected to a single access point/access port.

With all that said Nortel has literally just released v97.072 software for the Nortel 2211/2210 wireless handsets. While the release notes don’t seem to indicate any changes that are specific to “watchdog” issues it might be worth giving it a shot.

Cheers!

Update: Friday September 12, 2008
I’ve placed a copy of the Nortel document WLAN IP Telephony Installation and Commissioning (v3.3) on my website. This document should be a great help to many folks that are having issues with Nortel 22×0 and 61×0 wireless handsets.

It would seem there are a lot of folks out there looking for the recovery floppy disk that can be used to recover a defective installation of a Nortel VPN Router 1700, 2700 and 5000. I believe this disk will also work with previous models such as the Contivity 1500, 2500, 2600 and 4000 series.

It is my understanding that you will still need the Administrator password in order to perform any action. If someone could confirm this I will update this article. I haven’t yet documented a way of recovering a lost Administrator password.

You will need to use “dd” or rawrite to write the image to a 1.4MB floppy disk.

http://www.michaelfmcnamara.com/files/vpnboot.zip

I don’t think this will draw the ire of Nortel but you never know. Please let me know if your are successful in booting the VPN router.

Cheers!

We recently started looking for a more cost effective VPN router for small office and home office environments. With the current price of gas over $4.13/gallon there are a lot of businesses looking to try and ease the strain by effectively utilizing telecommuting for both voice and data applications. In my next few posts I’m going to look at some different technologies that a telecommuter could potential use in the virtual office.

We’re currently using the Nortel VPN Router 1010, 1050 and 1100 models for mid-size to large offices but needed a more cost effective solution for home office environments such as remote call center agents and other professionals. It also doesn’t help that Nortel has manufacture discontinued the 1010, 1050 and 1100 models (the bulletin from Nortel can be viewed here). There are two approaches that we are currently looking at with respect to the remote call center agents; 1) hardware solution with VPN router and IP phone; 2) software solution with VPN client and IP softphone. In this post I’m going to discuss my impressions of the Nortel Business Secure Router 222.

Let me be honest up front and tell you that I’m no fan of the Nortel VPN 200 Series Router from which this product was born. I know from opening a Nortel VPN 221 Router that it appears as if Nortel has OEM the product from Zyxel. I’m not sure if that’s still the case but the GUI of the BSR 222 looks almost identical to the VPN 221.

“The Business Secure Router 222, specifically designed for the small to medium business (SMB), is a converged broadband access router that provides a secure connection to the Internet via digital subscriber line (DSL) or cable modem broadband services. The Business Secure Router 222 is an advanced, feature-rich router offered at an affordable price.”

We tested the BSR 222 and were very happy with the results. We provisioned multiple IPSec tunnels with Triple DES encryption to a Nortel VPN Router 1700 (V06_05.140) using Asymmetric Branch Office Tunnel (ABOT) in Aggressive mode. In our previous tests with the VPN 221 router we had all sorts of issues with the IPSec tunnels staying up in Aggressive mode. With the BSR 222 we had no such issues using the exact same profile on the VPN Router 1700 we used for the VPN 221.

We also tested connecting a Nortel i2002 over the BSR 222 and found the call quality to be excellent. While I could have paired a BES 50 with the BSR 222 to provide PoE I decided to just use a power supply on the i2002. The hardware solution seems to be a very reliable and stable solution as it probably should be. I would probably guess that a hardware solution such as this would probably cost around $800 (IP ISM, IP Phone, BSR 222). Please just remember that any VPN solution is only as stable as your broadband connection to the Internet.

The default username is “nnadmin” and the default password is “PlsChgMe!”. The default IP address is 192.168.1.1 and the router can be configured from a web browser by using the URL http://192.168.1.1.

In defense of the VPN 221 router it does support a feature called “Control Ping”. When this feature was configured it allowed the VPN 221 to determine if an IPSec tunnel had become disconnected from the far side. It did this by pinging an IP address that was within the tunnel network range. If the ping failed the router would essentially restart the tunnel by disconnecting it and reconnecting it. It would also keep the tunnel active on the far side preventing any keepalive issues from arising. When I configured this feature on the VPN 221 the tunnels seemed to work flawlessly. This same feature is available on the BSR 222 and it may be required if you find your tunnels bouncing up and down.

Cheers!

We recently had an issue were the configuration of a Nortel VPN Router 1700 became corrupt causing the VPN router to continually core dump and reboot itself. The solution required us to boot the VPN router from a floppy boot disk (the floppy disk was a previously created emergency recovery diskette - the floppy drive can be accessed by removing the front bezel). After we booted from the floppy disk we could factory reset the configuration and then restore the configuration from the previous night’s backup.

We needed to assign a temporary IP address from the serial interface and then use Internet Explorer to connect to the temporary IP address. We then selected the option to “Restore” the configuration from a backup. The backup needs to be an FTP site with the appropriate username and password.

The restore took about 30 minutes to complete and never really gave any indication that it was working other than the IE logo just swirling in the upper right hand corner of Internet Explorer. We were able to use Nortel’s Java Device Manager to confirm that there was a lot of data moving over the Ethernet switch port connecting the Nortel VPN Router so we knew it was probably working.

I should point out that the Nortel VPN Router 1010, 1050 and 1100 do not have floppy drives although they may support a PROM based recovery option which would need to be executed from the CLI (serial) interface while the router booted.

It also seems that Nortel will be manufacture discontinuing the Nortel VPN Router 600, 1010 and 1100 at the end of December 2008. You can find the announcement here.

Cheers!