I was recently testing the built-in UNIStim VPN Client (UVC) on the Avaya 1120e IP phone and needed to access the SSH console of the IP phone to check the status of the VPN connection to the Nortel VPN Router. I thought I’d take a few seconds to document for anyone that might be interested. You obviously need to be running firmware 0623C7F, 0624C7F, 0625C7F or 0627C7F (or later) for IP Phone 1110, 1120E, 1140E or 1150E respectively.
You can enable the SSH console by the following commands;
- Press the Services key twice in quick succession
- Select Local Diagnostics
- Select Advanced Diag Tools
- Place a checkmark in the box labeled Enable SSH
- Set the UserID
- Set the Password
- Apply the settings
There is no reboot required to enable the SSH console. Here’s a quick example of the help command;
[root@centos ~]# ssh 10.1.1.10 -l admin The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established. RSA key fingerprint is 09:14:95:11:c2:e6:d7:93:98:2c:4e:ce:e4:2c:64:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.1.1.10' (RSA) to the list of known hosts. email@example.com's password: Welcome to Nortel problem determination tool. You are connected to IP Phone 1120E. HW version:18001365FF5E4FFFFF FW version 0625C7F MAC 001365FFFFF IP 10.1.1.10 Type "pdtHelp" for list of available commands. Bluetooth address 00140D01635B Type "pdtHelp" for list of available commands. Type "bye" to exit current shell. PDT> pdtHelp pdtHelp Print PDT shell help setLogLevel <loglevel> Set LogLevel, Critical:1, Major:2, Minor:3, Warning:4, Info:5 setRecoveryLevel <recovery level> Set RecoveryLevel, Critical:1, Major:2, Minor:3 setAutoRecoveryFlag <flag> Set auto recovery flag, turn on:1, turn off:0 printLogLevel Print current logLevel, Critical:1, Major:2, Minor:3, Warning: 4, Info:5 printRecoveryLevel Print current recoveryLevel, Critical:1, Major:2, Minor:3 printAutoRecoveryFlag Print auto recovery flag printUptime Print set uptime printLogFile [severity level] Print log files; Args - Critical:1, Major:2, Minor:3, Warning:4, Info:5 clearLogFile Clear content of error log file taskMonShow Show task monitor list taskMonAddTask <taskName | task id> Add a task to task minitor taskMonRemoveTask <taskName | task id> Remove a task from task monitor setCpuSamplingPeriod <value> Set CPU sampling period, range: 180-360s, step 10s i Print all task Info ti <taskName | task id> Complete info on TCB for task tt <taskName | task id> Task Trace memShow [level] Show system memory partition blocks and statistics checkStack <taskName | task id> Print a task's stack usage ls [dirname] [-f] List contents of directory, -f: include details lsr [dirname] Recursive list of directory contents cd [dirname] Set current working path usbFsShow Display MSDOS volume configuration data of USB memory stick usbls [dirname] [-f] List contents of USB directory, -f: include details usblsr [dirname] Recursive list of USB directory contents usbcd [dirname] Set current USB working path pwd print the current default directory ping <host ip> [# of pings] Test that a remote host is reachable tracert <host ip> [max hops] traceroute to any host netinfo Print common network info routeshow Display host and network routing tables and stats arpShow Display entries in the system ARP table listcerts List all trusted certificates printcert <index> Print a trusted certificate in detail listcrls Prints a detailed list of CRLs listdevcerts Prints all device certificates listsecuritylogs Lists all events logged through the security interface securitypolicy Prints the current Security Policy values gxasinfo Lists the GXAS configuration and current status reportWidgetData shows widgets info reportWindowData shows windows hierarchy turnOnScreenScrape turn Screen Scrape feature on turnOffScreenScrape turn Screen Scrape feature off setScreenScrapeDelay <delay> set delay in ms for the Screen Scrape process sendKey <code> <state> Emulate key with a code "code". State 0/1/2 = Key Down Message/Key Up Message/Key combination down followed by up. showVPNStatistics Show VPN Statistics showVPNStatus Show VPN Status showVPNFilter Show VPN Filter setVPNLogLevel <loglevel> Set VPN Log Level - 0:turn off log/1:log info/2:log info,error/3:log error,debug,info printVPNLogLevel Print current VPN logLevel - 0:turn off log/1:log info/2:log info,error/3:log error,debug,info showFIPSStatus Show FIPS Status setVPNNatKeepaliveIntervalOverride <interval> Set VPN NAT Keepalive Interval Override scrShow Show SCR Status printSetInfo Print HardwareID, FirmwareID and MAC address vxshell Switch to vxShell bye Exit current shell PDT>
I don’t know that I would advise someone to enable this feature on every IP phone they deploy but it can certainly be helpful if enabled when needed during troubleshooting.
Mike Schock says
I just upgraded our 1140E’s to 0625C7M and saw the VPN settings. I’m excited that you mentioned that you were doing testing!
I did a little searching in the NTPs and found that the Contivity 1750 was compatible (NN43001-368 06.08 4 June 2010 p. 591). So I did what any self respecting phone guy would do… jumped on EBay and bought one. After a bit of fighting with it, I was able to get in…
sniffer trace showed ARP of gateway IP
used DOS command line on same subnet to find management IP: FOR /L %i IN (1,1,254) DO ping -n 1 172.16.131.%i | FIND /i “Reply”>> c:\ipaddresses.txt
and then finally able to set back to factory default with floppy :-)
Now I am able to access the 1750. I set the LAN interface IP and I can now hit the web interface. After perusing the configuration screens a bit, I am feeling a bit overwhelmed. Do you happen to have a ‘Configuring a Contivity 1750 to work with an 1140E for Dummies’ post floating around out there? In lieu of that, what documentation would you deem appropriate to read?
Michael McNamara says
Your post is really timely… I just looked down at my 1120e (at home) and noticed a display banner reading “Evaluation period will expire on 2010-09-02. Contact your administrator”. I’ve been running a 1120e from home (over Verizon FiOS) to a NVR 1700 v7.04.359 for the past 60 days with great success. I’ve never dropped a call and could almost never tell I was connected remotely. In once case I totally forgot I was on an “Internet” call when I rebooted my Verizon Actiontec router while trying to troubleshoot another issue that ultimately turned out to be a repeater problem. Unfortunately the evaluation license is coming to an end so I’ll need to go configure the new Juniper SRX240 (branch) and Juniper SRX650 (main) in order to connect my older i2007 IP phone.
Before I go too far let me say that I’m impressed you knew the steps to take to discover the VPN router’s previous IP address. I’ve tried to explain that procedure to so many people and I know it’s gone over the heads of probably 80% of them. Bravo!
In any case setting up the phone and NVR for the 1120e/1140e is really simple (so long as you already have the NVR configured and working). Let’s assume you’ve gotten that far (it really isn’t too difficult once you understand how it works and the lingo).
You’ll need to create a network (Profiles -> Networks) which will include the IP networks you want to advertise to your clients. This network should include all internally accessible routes. Next you’ll need to create a new group (Profiles -> Groups) and configure it as you’d like, jut remember to associate the network you created above with this group. Now you’ll need to create a user (Profiles -> Users), make sure you create the user under the group you created above. Just fill in the IPSec userID and password you can leave the reset of the fields blank.
You’ll also need to figure out if you wan to use the DHCP relay or if you want to assign a group of IP addresses (Servers -> User IP Addr) to the NVR for it to hand out to clients to use. It’ll probably be easier right now to just create a IP address pool (remember it need to be in the same private Layer 3 network that your NVR is in so it can proxy ARP for the traffic).
You probably already know that you need a public and private interface. One will get a public IP address, the other a private IP address. You will need to set a private and public default route.
That should be enough to get you going.
Please post any further questions over on the discussion forums and I’ll be sure to help as much as I can.
Hi I am trying to troubleshoot my connection with my sip provider,Could someone tell me how to access the log with ssh. Thank you
James Zhang says
I’m working for Bell Canada. I was trying to pull logs from 1150 IP set, but I don’t know the default Id and password.
I find your note from Google, it is perfect!!!
I just want to send this note to you for thank you putting these together!!!
Michael McNamara says
I’m happy to found the site helpful!
Thanks for taking the time to comment!
Love your blog and have to say when Avaya tech supports asks if you have checked Mcnamara website, you know your doing a good job.
Wanted to ask what type of licensing your are using? The documentation is very murky on the licensing. I am thinking networked locked licensing is what we want to use, so we do not need to enetr every mac address
Michael McNamara says
That’s pretty funny… never heard that one before… thanks for the kind words!
I’m not doing any licensing of the Avaya 1100 or 1200 series IP phones since I’m using them with a CS1000E. We are using a Licensing Server for the 2050 IP Softphones that we have deploy for the (work-at-home) call center users. I can’t really speak to the pros or cons of the two methods Avaya provides. You’re probably aware but for others that are sure to follow a complete description of the licensing options is provided in chapter 16 of the SIP Software for Avaya 1100 Series IP Deskphones-Administration.
Sorry I can’t help Mark.
Melissa Karpicke says
We have used ssh to access our 1120e IP sets. However, is there a command we can use to get the etherenet stats remotely rather than thru the local diag screen on the phone
Looking at an 1140e IP Deskphone to which I have SSH’d into. I’m troubleshooting a NAC issue we have run into. I see from the PDT> command you can run showPCPortRenegotiate. In our case, it is set “Current PC port renegotiate: N” What exactly does this setting mean/do? I’ve searched all over and have yet to find any documentation pertaining to this setting. Thanks!
Michael McNamara says
I can’t really say with 100% accuracy but from the description I would guess it has something to do with auto-negotiation on the PC port.
You’ll likely get better information from a packet capture of the traffic between the IP phone and the switch.