Documente Academic
Documente Profesional
Documente Cultură
08
CONTENTS
1. INTRODUCTION ..........................................................................5
1.1. Forewords................................................................................................. 5
1.2. IP-Touch Version....................................................................................... 5
2. REFERENCES................................................................................6
3. HISTORY......................................................................................7
9. POWER CLASSIFICATION...........................................................43
9.1. IEEE Recommendation and IP-Touch classification .................................. 43
9.2. Consumption Details .............................................................................. 43
9.2.1. Fast Edition range...........................................................................................43
9.2.2. Extended Edition range...................................................................................44
10. 802.1X.......................................................................................44
3
12.17. Loss of signaling board ...................................................................... 60
12.18. VoIP assessment tool .......................................................................... 60
12.19. Bluetooth............................................................................................ 61
APPENDIXES
APPENDIX 0 - 802.1x
4
OmniPCX Enterprise
TROUBLESHOOTING GUIDE No. 28 IP TOUCH ISSUES
1. INTRODUCTION
1.1. Forewords
This troubleshooting guide explains the operation of an IP-Touch (in some cases for an e-Reflex but
not necessary) in a VoIP environment. Its aim is to help diagnose and resolve issues in activating the
IP-Touch.
This document takes into account IP-Touch versions up to 3.70 corresponding to Call Handling
release R7.1
The IP-Touch terminals are declined in 5 models:
− 4008 (Model Z)
It is a cost reduction of 4018, with same packaging as 4018
• No PC Ethernet port
• Standard handset instead of comfort handset
• Narrow band loudspeaker instead of wide band enabled loudspeaker
− 4018 (Model A)
− 4028 (Model B)
− 4038 (Model C)
− 4068 (Model D)
SRAM and FLASH Memory sizes are kept identical to IP-Touch R2, R3 and R4.0.1
This document does not deal with wireless sets: MIPT 300, MIPT 600.
2. REFERENCES
The following documents, dealing with subjects around IP Issues, are also available on
BPWS/Technical Knowledge Base:
• Troubleshooting guides:
♦ TG0001: Echo in a VoIP environment
♦ TG0002: VoIP audio quality problems
♦ TG0014: IP Phones issues
♦ TG0015: INTIP issues
• Technical Communications:
♦ TC0034: Voice on IP: Configuring an inter-PABX link in VoIP (LIOE)
♦ TC0107: IP Phone and OmniPCX 4400 R3.2/R3.2M secured on its Ethernet link
♦ TC0151: Using the DHCP Relay feature in OmniPCX 4400 (from Release 3.2M)
♦ TC0154: VoIP and Internet glossary
♦ TC0189: Information about rate and duplex mode available on OmniPCX
4400/Enterprise IP components
♦ TC0190: OmniPCX 4400 (R >= 3.2) and TOS field configuration for LIOE, TSC_LIOE,
INT-IP and IP Phones
♦ TC0258: Setting the Windows 2000 server into DHCP server for IP Phones – from Release
3.2M
♦ TC0267: Tftp server enhancement for optimization of IP Phones implementation
♦ TC0295: Configuring the VLAN (802.1q) ON OmniPCX 4400 IP equipments
♦ TC0376: VoIP/INTIP : Bad audio quality on OmniPCX 4400 in Release 4.1.1
♦ TC0423: IP redundancy in OmniPCX Enterprise
♦ TC0441: Echo phenomenon with VoIP
♦ TC0458: IP Phones VoIP technical characteristics
♦ TC0474: IP Phone V2 sets / OmniPCX 4400 Versions & Add-On modules compliance
♦ TC0506: Use of the tool tcpdump on OmniPCX Entreprise
♦ TC0600: Test report: Alcatel IP Phones sets using power over Ethernet supplied by Cisco
Catalyst 3560-24PWR
♦ TC0601: Automatic VLAN Assignment (AVA) – Implementation guide and restrictions
♦ TC0607: Redundancy over IP will not switch-over if the Ethernet link on the Main CPU is
lost
♦ TC0623: 802.1P/Q Configuration guidelines for Alcatel IP Phones connected to a Cisco
Catalyst Switch.
♦ TC0633: The IP-Touch sets do not restart from versions F1.602.3.m and F1.603.1.c
♦ TC0663: IP-Touch does not restart after upgrading of new versions
♦ TC0736: Technical release note for the VoIP assessment tool Aviso 3.0
3. HISTORY
• Ed 01 Creation of the document
• Ed 02 Official availability
• Ed 03 Add-ons
• Ed 04 Modifications of Appendix 4 section Port Mirroring (mirror)
• Ed 05 Correction of section 7.9 Keep Alive mechanism
• Ed 06 Correction of section 12.10 Jitter buffer size
• Ed07 Add section IP Touch Extended Edition phones consumption details
• Ed08 Correction of number of AOM in Appendix 3
4.1. Abbreviations
In this "IP-Touch Troubleshooting Guide", following abbreviations can be used.
• AVA : Automatic VLAN Assignment
• IPP : IP Phone V2, V1, V1S = e-Reflex
• IPT : IP-Touch 4008, 4018, 4028, 4038 or 4068
• CS : Call Server: CPU on common hardware or Appliance Server
• CPU4400 : CPU on Crystal 4400
• OXE : OmniPCX Enterprise
• MMI : Man Machine Interface (Used in this document for IP-Touch MMI)
• MGR : Manager (mgr) (Used for Call Handling)
• VAD : Voice Activity Detection
• DHS : Corresponds to OXE Call Server
• AOM-EL : Electronic Add On Module
• Notations
This symbol indicates some possible risks or gives important information or tricks.
5.1. Introduction
To simplify the notation in the following document according to the "Signaling link" sending either
from CS, CPU4400, INTIPA, GD, rescued GD, to the IP-Touch or e-reflex terminals, we have
introduced the notation, "Signaling Link Board" which will correspond to the board used to
transport the "Signaling Link" to IP-Touch.
− Signaling link will carry signals like : keepalive, connect, UA messages,
− IpLink : corresponds to the fictive INTIPA on Communication Server
5.3.1. Principle
The table (Page 11) gives the "Signaling Link Board" which has been used up to R7.0, depending on
the:
− use of domain (X domain or default domain)
− Call Server type
− IP-Touch (IPT), e-reflex (IPP)
− mgr parameters
(1) The load is distributed according to a load repartition optimization between the different
available couplers.
(2) Terminals are connected to GD board, when the other coupler in the domain are busy
(3) These couplers can only accept Signaling link for IPP and for IPT in the case "IP -> IP
Parameters -> IP Phone signaling on eMGD = YES"
(4) In the case of backup, the GD (/GA) boards in rescuer mode accept without conditions the IP
terminals in their domains
(5) When there are no other board available, the terminal in domain X will be connected to the
IpLink
Remark: Historically, parameter "System -> Other System Parameters -> System parameters ->
IP-Touch IP on a real INTIPA board" has been created in the way that IP-Touch terminals have the
same behavior that IP Phone terminals regarding to the "Signaling Board". Today this parameter
should only be modified with R&D agreement, and has by default to be set to NO.
5.4. Configuration
Below we will show the difference between a configuration before and after R7.0. As we can see, the
next parameters won’t be manageable any more from R7.0
IP -> IP Parameters
- IP Phone Signaling on eMGD (Connection to a real GD or GA)
6.1. Overview
At reset time, after some hardware and software initialization, the terminal enters in starting phase.
During this phase, the software performs all the necessary steps required before the terminal can
connect to a system. When the terminal is connected, the user can place phone calls and can access
to any services or applications provided by the system. In running phase, the terminal is fully driven
by the system using Alcatel Proprietary protocols: (Proprietary: UA Protocol)
6.4. Survivability
The Backup signaling link feature is used to back up signaling between a Call Server and Media
Gateway. This service is designed to ensure limited phone operations on a remote Media Gateway
(connected by a WAN) in case of a failure of the IP network connecting the sites. Before R6.2 IP-
Touch should be declare in static mode, after R6.2 IP-Touch can be declared in dynamic mode.
Whether both Call Servers are out of order, the terminals must then be able to connect to the
rescued Media Gateway.
7.1.1. Industrial–Mode
This mode is reached using combination ’1 2 3 [i]’. In this mode, the terminal takes a predefined
Mac address and predefined IP configuration (IP address, router, subnet, ...).
The terminal must be reset to quit this mode.
In industrial mode, the set will only work in a specific sub network, and default IP address
− IP-Touch IP address: 192.168.1.1
− tftp address: 192.168.1.6
Nothing is to configure on the set, the address above are the default "industrial" addresses
Procedure:
− At first to configure your PC with address "192.168.1.6"
− Then start the IP-Touch in industrial mode:
• IP-Touch starts in industrial mode thanks to key (i 1 2 3)
• Use a crossed cable to connect your Set to the PC, or a HUB
• Now it is possible to make a telnet on the set
This mode could be interesting for example: to reset the flash or to run some other commands in
case the IP-Touch is locked.
7.1.2. Backup–Version–Mode
This mode is reached using combination ’1 3 8 [i]’. When put in this mode, terminal will switch to
the backup binary version in flash. This is the same as the "verswitch" command. When the keys
are released, if the switch was successful, the terminal resets and starts in normal mode.
This version will remain the current software version until the version is switched again or a new
version is downloaded.
The switch from a secured version to a non secured version is not authorized.
2.8 seconds correspond also to the time during which IP-Touch "PC Link" is down after:
− an IP-Touch Hardware Reset , or
− during IP-Touch binary download
7.3.1. Acquisition
The IP parameters acquisition and checking step consists in:
− checking IP parameters when the terminal is configured in static mode
when the terminal is configured in static mode, IP parameters must be supplied by the user using
the LOCAL MMI. If supplied parameters are invalid, terminal loops in this step and displays an
error message until valid parameters are entered.
− acquisition and checking of IP parameters when the terminal is configured in dynamic mode
(which is the manufacturing default mode), IP parameters are acquired during this step using the
DHCP protocol.
Using the LOCAL MMI, the user can select two different modes: any-DHCP mode and
Alcatelonly mode (which takes into account only the offers from Alcatel DHCP servers).
During a DHCP standard initialization, when the terminal receives the DHCPACK message it
checks if IP parameters in this message (IP address of the terminal, router address, subnet
address, TFTP address #1 and VLAN-id) are different of those stored in the zone reserved for
DHCP configuration. If they are different the terminal stores them in flash but if not it continues
IP-Touch initialization with these parameters.
In the two previous modes (any-DHCP or Alcatel-only), the terminal follows the standard DHCP
initialization.
• Discover
• Offer
• Request
• Acknowledgment
IP parameters of DHCP zone can be seen in the local MMI during DHCP initialization.
If the DHCP initialization fails (the terminal doesn’t receive DHCPOFFER message in
SELECTING mode), the terminal passes in survivability mode.
It is essential that DHCP requests (broadcast messages) are resent by a relay DHCP server if
the IP set is not in the same sub-network as the DHCP server.
7.3.4.3. Releasing
If the terminal decides to reset, for any other reason than a lease expiration, it will send a
DHCPRELEASE message (unicast) to the server.
Not more the case since R4.01 (since 3.71.00).
7.3.5.1. Principle
AVA (Automatic VLAN Acquisition) is the preferred solution for assigning a VLAN (802.1Q) to a
terminal connected to a VLAN-enabled network. The mechanism involved by AVA is known as
"double-DHCP" because a first AVA enabled DHCPDISCOVER message is sent and then if an AVA-
enabled server respond to that request, a second "standard" DHCPDISCOVER is sent using the
acquired VLAN.
If a static VLAN is programmed (by the user using the LOCAL MMI), the first DHCPDISCOVER
message is sent on this VLAN.
Otherwise, the default VLAN is used (e.g. no VLAN).
The first DHCPDISCOVER message provides option 43 (vendor specific option) indicating that the
terminal supports the automatic VLAN feature. The second DHCPDISCOVER message doesn't
provide this option.
The VLAN menu from the LOCAL MMI is updated with the VLAN ID received using AVA.
The first AVA DHCPDISCOVER message is sent. Only the AVA server and the Alcatel server receives
the message because they are (for the moment) on the same VLAN as the terminal.
Both servers respond but the AVA DHCPOFFER has priority over the Alcatel server DHCPOFFER.
The terminal sends a DHCPREQUEST to inform other DHCP servers that their DHCPOFFER (if
any) have not been selected. Once this REQUEST is acknowledged by the AVA server, the terminal
sends a RELEASE message to ensure the AVA server releases the IP address. Finally, the terminal
sends a second DHCPDISCOVER message on the acquired VLAN. Only the external server receives
the message and replies to the terminal.
If no AVA server responds to the first AVA DHCPDISCOVER, the normal DHCP procedure applies.
AVA DHCPOFFER have priority over Alcatel server DHCPOFFER and external server
DHCPOFFER.
7.4.1. Overview
The configuration file step consists in downloading the lanpbx.cfg file. The configuration file is
downloaded using a TFTP READ request.
The configuration file, in ASCII format, contains one or more lines. Each line provides one or two
system addresses. The terminal selects the first line of the file. If there is no responds from the system
addresses, terminal will select second line, and so one. The associated addresses will be the
maincpu addresses of the terminal. These maincpu addresses are selected and flashed during step 5
7.4.2. Download
The lanpbx.cfg file is downloaded using:
− the TFTP address received in the DHCP response (next-server field) if dynamic initialization is
used or,
− one of the two TFTP addresses configured using the local MMI if static initialization is used. In
that case, and depending on addresses validity, the terminal can send up to two TFTP READ
requests in parallel. Only the first response is taken into account and if any, other running
transfers are aborted.
To take in account all failure cases, the two TFTP addresses must be configured in this order:
− TFTP address #1 = Call Server #1,
− TFTP address #2 = Call Server #2,:
If the file does not exist on the disk, it is created in the memory after the TFTP process started.
The lanpbx.cfg can also be generated using "lanpbxbuild" command.
Description
Wrong Configuration
Example of a wrong configuration: Assume a topology with Call Server Duplication, spatial
redundancy and several nodes, lanpbx.cfg could be look like as following:
As only last BIN_DOWNLOAD IP address information will be taking into account, (in the above case:
10.5.4.3), the IP Set connected to 10.1.1.3, will get the binary on 10.5.4.3. In the case that both
nodes do not have the same IP-Touch version, the IP-Touch will continually reset.
Good Configuration
7.4.6. Download/Parsing
If the configuration file cannot be downloaded after all TFTP retries, the terminal checks if a maincpu
address is stored in flash. If yes, the terminal continues with step 4 (software updating) or step 5
(start file). If no, the terminal is restarted
If maincpu addresses are different in lanpbx.cfg file than in flash (order of IP_DOWNLOAD and
IP_DOWNLOAD_RD addresses is not important), terminal erases maincpu addresses in flash.
These addresses will be flash when startnoe file will be downloaded successfully in step5.
Take into account the moving of maincpu with survivability feature, TFTP_backup address is
also erased when lanpbx.cfg file is downloaded successfully.
(1) bin4018 and dat4018 exist are real files on the Call Server file system
(2) bin4028, bin4038 and bin4068 are symbolic links to a unique file: bin40x8
dat4028, dat4038 and dat4068 are symbolic links to a unique file: dat40x8
The binaries for the IP-TOUCH are stored on the hard disk of the Alcatel in the following directory
(depending on the OXE Release in):
• /usr2/downbin/
• /usr2/downbin/standard
• /usr2/downbin/secu
The OXE TFTP server will look for the files in this directory. The /usr2/downbin/ will contain the
real files or the symbolic links.
The phone first asks for the binary header (small part of the whole binary containing the binary
version) in order to check if the version is different that the one which is running.
7.5.2. Fast-init
The first message transmitted to the call server provides, among other information, the version
number of the running code binary and the version number of the data binary.
These numbers are checked by the call server to determine if zero, one or two binaries have to be
downloaded.
The init_mode parameter stored in FLASH memory is used by the terminal software to find which
binaries must be updated during step 4 of the terminal initialization:
init_mode =
• UPDATE_NONE (=0)
terminal goes directly to step 5 (start file) since nothing needs to be downloaded
• UPDATE_CODE (=1) or UPDATE_DATA (=2)
♦ check if a different code or data binary version is available,
♦ download the new code or data binary,
♦ flash the new downloaded binary,
♦ change the init_mode parameter from UPDATE_CODE/UPDATE_DATA to UPDATE_NONE
and
♦ restart the terminal.
• UPDATE_CODE_DATA (=3)
♦ check if a different code binary version is available,
♦ download the new code binary,
♦ flash the new downloaded binary,
♦ change the init_mode parameter from UPDATE_CODE_DATA to UPDATE_DATA,
♦ check if a different data binary version is available,
♦ download the new data binary,
♦ flash the new downloaded binary,
♦ change the init_mode parameter from UPDATE_DATA to UPDATE_NONE and
♦ restart the terminal.
Immediately after the UA/UDP link is established (CONNECT message), the init_mode
parameter is set to UPDATE_ALWAYS (default value) which is the same as
UPDATE_CODE_DATA except that after a binary has been downloaded and flashed (code or
data), the terminal doesn't modify the init_mode parameter.
A fast-init capable call server must then configure init_mode to UPDATE_NONE in order to
enable the fast-init mechanism on the terminal side.
Reception of this message doesn't reset the terminal. This message can be send at any moment once
the UA/UDP link is established.
This message is ignored for IP-Touch version 1.xx.xx terminals since the fast-init feature is not
supported in these releases. This message is also ignored for TSCIPv1S, IPPhoneV2 terminal
The solution to authorize code and data update for an IP-Phone can be managed under
Users -> Tcp IP Users
7.5.4.1. Code
After a checksum test on the downloaded binary, the new code binary is flashed: it replaces the not–
running binary of the two binaries stored in FLASH memory.
7.5.4.2. Data
After a checksum test on the downloaded binary, the new data binary is flashed: the old data binary
is replaced. If a problem occurs during the flashing procedure, an error code is returned to the
application and the terminal is restarted.
Then the phone resets and runs the new downloaded binaries.
Context number for TFTP download = This attribute indicates the number of downloads
possible in parallel by the tftp server: It is a percentage of the maximum value. Minimum value is
10%.
The tftp_check –c command gives the state of the download
============================== IP phones state ================================
Total Ip phone number : 6
In service : 5 Out of service : 1
7.6.1. Format
The start file provides the UDP port number the terminal must open before receiving NOE messages
using the UA/UDP transport protocol. The start file format is the following:
UDP_PORT_SIG=x<CR>
Description
UDP_PORT_SIG: the UDP port number to open (value must be between 0 and 65535)
Secure mode
An additional UDP_PORT_SIG_CRYPT parameter is included in the file if the protection of the
VoIP flows is to be used. This port will then be used by the terminal to listen to the Signaling
traffic.
o If the lanpbx.cfg file was not downloaded during step 3, the terminal tries to
download the start file using the two maincpu addresses stored in flash. In both
cases, if the file contains an error, the terminal is restarted. But if the download of the
start file fails, the terminal enters in survivability mode.
• survivability mode
o The terminal tries to download the start file using the Media-Gateway (or Passiv Call
Server) address stored in flash (TFTP_backup address). When the terminal receives
the start file, this address is not stored in flash as the maincpu. If this download fails,
the terminal resets. The TFTP_backup address (generally the Media gateway address)
is received after the reception of CONNECT message. The terminal flashes this
TFTP_backup address only if it is different of that in flash.
7.6.3. Redirection
The maincpu addresses can be modified if the terminal receives a REDIRECT message. This implies
that in a networked environment (many CPUs are listed in lanpbx.cfg file)
With spatial redundancy, REDIRECT message contains 2 valid maincpu IP addresses (maincpu and
maincpu_rd). When the terminal receives REDIRECT message, it erases TFTP_backup, maincpu and
maincpu_rd addresses.
Without spatial redundancy, REDIRECT message contains only 1 maincpu address. When the
terminal receives REDIRECT message, it erases TFTP_backup, maincpu addresses and puts
maincpu_rd address at 255.255.255.255.
When the start file is downloaded and if a CONNECT message is not received after 10
seconds, the startfile is downloaded again. If the CONNECT has not been received after 10
such attempts, the terminal is restarted.
In case of failed connection, step5 loops 15 times and waits 30 seconds between each loop.
7.7.1. Overview
After TFTP exchange, the "Signaling Board" takes always initiative for connection establishment. The
link is established only when both sides of the connection have sent a CONNECT message and
received a CONNECT ACKNOWLEDGE message. Both sides have to wait until the end of this
exchange before sending data.
Example
7.8. Follows-up
Before the Keep alive mechanism, there are some other messages which are exchanged between
OXE and IP-Touch, which are not necessarily detailed in this troubleshooting Guide. Refer also to
section 7.10 .
7.9.1. Mechanism
KEEPALIVE is emitted regularly (using UDP_KEEPALIVE timer) when there is no traffic in order to
detect a network link–down failure. "Signaling link Board" takes initiative for KEEPALIVE packet
exchange. IP-Touch has only to acknowledge with a KEEPALIVE_ACK.
This timer is started each time a packet is received. The expiration of this timer means that no
KEEPALIVE has been received because the network link is down between "Signaling link Board" and
IP-Touch Phone.
Once network failure has been detected, UDP_LOST_REINIT timer is launched. Then IP terminal
waits for a new signaling link to be established by system. If no connection request has been
received after UDP_LOST_REINIT timer expiration, IP terminal will reset immediately.
The next figures shows in detail the mechanism which is used for the KeepAlive mechanism.
What we can also observe is in that after UdpKeepalive time, the CS will send periodically (each 3
sec) a KeepAlive to the terminal, then after 3 times without Acknowledgment, CS will send a Connect
each second.
A connection is considered as lost if no packet has been received after UDP_LOST timer expiration.
When changing the KeepAlive parameters on the system don’t forget to reset the IP-Touch.
In this case, IP terminals will be unable to detect a network failure if there is no activity on
"Signaling Link Board". Moreover, if a new binary is present on the Call Server, the IP-Touch
will not automatically download that new binary.
Therefore, it is recommended to let this parameter unchanged.
7.10.1.Principle
Either DATA packet emitted by OXE or IP terminals contains a sequence number that is used to
acknowledge the packet.
If no ACK is received, the DATA packet is re–emitted after 200 ms (first occurrence), then with a
periodicity of 1 second. The connection is considered as released after UDP_LOST timer expiration.
ACK packet is a DATA packet without data (only sequence numbers are significant). ACK packet
must not be acknowledged.
The protocol also supports acknowledge by DATA packet. An acknowledgement of the last received
DATA packet (expected sequence number) may be integrated in current DATA packet.
Example:
9. POWER CLASSIFICATION
10. 802.1x
See Appendix 0.
• Check the spanning tree configuration in the data network; path reconstruction might take
some time and not let enough time to re-establish the signaling link with the CS.
• Check the data network with AVISO; loss of IP-Phones due to issues in the data network can
be very efficiently pointed out with that tool and definitely exclude the Call Server.
− If the cause is "DHCPC_LEASE_EXPIRATION", check the DHCP server (server accessibility, IP
addresses available, etc.);
− Run a tcpdump trace on Call Server.
12.1. MPLS
Ethernet is based on the principle that the Max Size of an Ethernet frame = 1518 Bytes. Meaning
that in normal transmission, without 802.1q, MPLS, ... the maximum size of an IP Packet = 1500
Bytes.
Meaning also that when the device wants to add some supplementary information like: VLAN,
PPPoE, the device has to decrease the IP Packet size.
Example: When a Thales Box sends a Packet of supposing 1500 Bytes, and that there's a router
which wants to add some headers like MPLS-Label, resulting that the Ethernet Frame size could
exceed 1518 Bytes, and that fragmentation is not allowed (case on a Call Server), the router should
inform the equipment thanks to an ICMP, that the IP Packet size is too large.
When this situation happens, Thales box will decrease the IP Packet size.
Now come to MPLS.
Following next figure, we see that MPLS, should be transparent for an IP Packet, except there is a
problem of packet size. Note also that MPLS Label = 4 Bytes. Meaning that in the major case where
frame size = 1510 bytes, 1510 + 4 = 1514 < 1518.
So there is no a problem for frame size (== 1510)
If no voice treatment is done by set B, the set A user hears its own voice signal as an echo. The user
A talker echo loudness rating (TELR) shall reach a minimum value to avoid echo sensation, this value
varying as a function of transmitting delay as described in G131 recommendation. (See figure
below).
G131
To fulfill TERL attenuation, there are two mechanisms which are mainly used:
Set B
− Gain switching ATTR (Attenuation in Reception) and ATTS (Attenuation in Transmission) modules
which decrease respectively the receiving and the sending paths. (This mechanism
corresponding, relative to an acoustic point of view, to a Half Duplex mode)
− Echo canceller with adaptive filter (mathematical based model) consisting to subtract the
loudspeaker signal captured by the microphone (from Speaker A) without to subtract the signal
from the local speaker (Speaker B). The constraint which has to be respected with an adaptive
filter is to run the filter coefficient adaptation only in reception state and not in Double Talk state.
(This mechanism corresponding, relative to an acoustic point of view, to a Full Duplex mode).
Relative to the TERL attenuation which has to be applied in an IP environment, it is not possible to
treat the echo only with Adaptive Filters.
Depending on the parameters like:
− Loud Speaker level
− Big / Small rooms
− Room reflection
− Use of the Handsfree
− Etc.
It is mandatory to add a Gain Switching attenuation. It is also important to know that the Gain
Switching will also decrease or increase relative to the performance of the Adaptive Filter.
It is a state machine inside Handsfree algorithm which has to decide the repartition between Gain
Switching and Adaptive Filter to reach the TERL constraint.
Relative to this concept, the Alcatel IP Phone's Hands-frees (e-reflex or IP Touch) have been
developed to work as much as possible in Full-Duplex mode, this is done until a specific Handsfree
level and, as said, the level is depending on the environment in which the Handsfree is used
(Big/Small Rooms, Room reflections). But after this Handsfree level, Half-duplex mode will slowly
enter in action, meaning that the Handsfree will work in a range where we will find a certain
percentage of Full duplex and a certain percentage of Half-Duplex.
The difference between Alcatel IP Touch and Alcatel e-reflex concerns especially the state machine. IP
Touch state machine is smarter and works differently than IP Phone state machine. IP Touch will take
better decision between Reception and Double Talk state, and so adaptive filter will converge faster,
and so IP Touch Handsfree will work more in a Full-Duplex mode. Attenuation from Gain Switching
module will be lower, this will then give a better feeling of a full duplex behavior in strong condition
because the switching between Reception and emission will be more smooth.
Question:
Why my IP-Touch is in Class 3?
Answer:
This is depending on the serial number of your IP-Touch. Around may 2004, IP-Touch classes
evolved from Class 3 to Class 2. Serial number (or hard) can be found using the IP-Touch telnet
and with command id;
#id#
soft 1.29.03
boot 1.00.10
hard 3GV23014ACCA040416
range IP
type C
linkdate Mon Oct 11 17:33:59 MEST 2004.
Question:
Power Over Ethernet doesn’t work on my PoE Switch.
Answer:
Your Ethernet Interface is perhaps not configured to accept inline power:
(case of Cisco switch)
Switch#configure terminal
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#power inline ?
auto Automatically detect and power inline devices
never Never apply inline power
12.4. VAD
Question:
On an IP-Touch (or e-Reflex), I can observe during silence phase (nobody speaks) an audio level
attenuation, as if the distant user had been lost.
Answer:
When G.711 codec is used, this is probably due to the activation of VAD. Deactivate the VAD,
and check if this behavior is still present.
My 4038 IP-Touch has version 1.17.01, and the binary: bin4038 on OXE has version 2.13.00.
In this case this version will not been downloaded in one time. I have at first to download an
intermediate version, for our example we will choose intermediate version 1.55.03, and after
that we can then upgrade, following above table, to version 2.13.00.
Consult the Technical Communication TC0663 IP Touch does not restart after upgrading of
new versions dealing with "IP-Touch sets do not restart after upgrade to new versions";
12.11.NAT translation
Question:
Is it possible to connect the IP-Touch through an IP NAT (Network Address Translation) Device?
Answer:
No, the UA protocol being not compatible with NAT because of IP addresses embedded in the
UA protocol which can thus not be translated by a NAT device.
A solution to avoid NAT translation in that case might be the use of a VPN tunnel.
12.12.Spatial redundancy
Question:
From which IP-Touch version spatial redundancy is supported?
Answer:
Spatial redundancy is supported by the IP-Touch version 2.xx from OXE version 6.1.
Note
Spatial redundancy is not supported by e-reflexes phones.
12.13.Keep-alive mechanism
Question:
Is it possible to de-activate the Keep-alive mechanism?
Answer:
The system can disable the keepalive mechanism. In that case no keepalive messages will be
exchanged.
See also section 7.9 .
This is configured by setting the following parameter
IP -> IP Quality of service COS -> UDP Keep-Alive to 0
In this case, the IP-Touch will not be able to detect a network failure if there is no activity on
the "Signaling Link Board". Moreover, if a new binary is present on the Call Server, the IP-
Touch will not automatically download that new binary.
12.19.Bluetooth
Question:
What is the hardware reference for a Bluetooth 1.2 on an IP-Touch 4068 (set and handset)?
Answer:
The Alcatel IP-Touch Bluetooth® wireless handset is 1.2 enabled and operates with Alcatel IP-
Touch 4068 reference 3GV27043xx (package) from OmniPCX Enterprise R6.2.
Summary:
• IP-Touch Hardware Reference : 3GV26043 BT: 1.2 (RAM 16Mo)
• IP-Touch Hardware Reference : 3GV26012 BT: 1.1 (RAM 8 Mo)
• IP-Touch Handset Reference : 3GV 26007 BT :1.2
• No IP-Touch Handset in BT 1.1
Note
Dial-in or Telnet access is also desirable to help with effective problem resolution.
Summary
1. SHORT 802.1X OVERVIEW .................................................................................................... 3
1.1 Principle............................................................................................................................. 3
1.2 Definition ........................................................................................................................... 3
1.3 Introduction........................................................................................................................ 4
1.4 Port Access Entity (PAE)................................................................................................... 4
1.5 Authentication server......................................................................................................... 5
1.5.1 FreeRADIUS ................................................................................................................. 5
1.5.2 Funk Software Steel-Belted Radius / Enterprise Edition ............................................... 5
1.5.3 Microsoft Windows 2003 IAS RADIUS Server .............................................................. 5
2. AUTHENTICATION ON IP TOUCH........................................................................................... 6
2.1 EAP- MD5 Authentication Method.................................................................................... 6
2.2 Authentication initialization ................................................................................................ 7
2.3 IP Touch ............................................................................................................................ 8
2.3.1 IP Touch internal Switch................................................................................................ 8
2.3.2 IP Touch PC Port Security ............................................................................................ 9
2.3.3 Embedded Command ................................................................................................. 10
2.3.4 Error and status messages ......................................................................................... 10
3. TROUBLESHOOTING............................................................................................................. 11
3.1 Introduction...................................................................................................................... 11
3.2 Configuration 1 ................................................................................................................ 13
3.3 Configuration 2 ................................................................................................................ 14
3.4 Configuration 3 ................................................................................................................ 16
4. F.A.Q. ...................................................................................................................................... 20
4.1 Set stays in phase 2/5 ..................................................................................................... 20
4.2 802.1x Activation Issue ................................................................................................... 20
4.3 802.1x Deactivation......................................................................................................... 20
4.4 802.1x set on IP Touch but pass through........................................................................ 21
4.4.1 View of the Issue ......................................................................................................... 21
4.4.2 Ethereal Trace in case ................................................................................................ 21
4.5 MAC Resolution .............................................................................................................. 22
4.6 IP Touch stays in phase 5/5 ............................................................................................ 22
4.7 Restriction to 802.1x........................................................................................................ 22
4.8 I cannot see EAP frames in my captured Trace.............................................................. 22
5. CONFIGURATION ON A 6800 SWITCH................................................................................. 23
5.1 Overview ......................................................................................................................... 23
5.2 Prerequisites ................................................................................................................... 23
5.3 Configuration ................................................................................................................... 23
6. STEEL-BELTED RADIUS SERVER INSTALL GUIDE ............................................................ 25
7. CONFIGURATION OF ODYSSEY CLIENT ............................................................................ 26
1.2 Definition
AAA server:
server program that handles users' requests for access to computer resources and provides
authentication, authorization and accounting (AAA) services.
1.3 Introduction
The aim of the 802.1x “Port-based Network Access Control”, or shorter dot1x, is the ability to deploy
LAN based infrastructure where users or devices need first to log in prior to anything. Dot1x
manages access rights to the Local Area Network (LAN) wired or not (WLAN). It implements an
effective framework for authenticating and controlling user traffic to a protected network. Dot1x ties
a protocol called EAP (Extensible Authentication Protocol) to the LAN media supports for the
moment MD5 authentication methods,
The idea of dot1x is like an ON/OFF gate inside Ethernet switches. This gate starts in the OFF
position, handling only dot1x requests until a decision is made to grant the station access. At that
point, the gate is thrown into the ON position so that all LAN traffic can be relayed between the
station and the upstream network. Eventually, the station times out or disconnects, throwing the
gate back into the OFF position. This authentication intervenes before any other exchanges.
Before the supplicant’s connection to the physical port of the authenticator's PAE, the use of the
controlled port is restricted, preventing unauthorized data transfer and only the uncontrolled port is
accessible.
The authentication dialogue is then between the authentication server and the supplicant by the
uncontrolled port of the authenticator's PAE.
When the dot1x state machine of the authenticator sees an authentication acknowledgment
coming from the server, it opens its controlled port, thus giving to the supplicant the access to the
service. From this moment, the Ethernet traffic is normally assured.
However, the dot1x protocol remains active and can reactivate an authentication process in case,
for example, of explicit request of the supplicant or physical disconnection to the network.
1.5.1 FreeRADIUS
FreeRADIUS is an open source RADIUS server. It is well within the top 5 RADIUS servers
worldwide, in terms of the number of people who use it daily for authentication. It scales from
embedded systems with small amounts of memory, to systems with millions of users. It is fast,
flexible, configurable and supports more authentication protocols than many commercial
servers.
The server comes with complete support for RFC 2865 and RFC 2866 attributes.
FreeRADIUS supports EAP, with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP and
Cisco LEAP subtypes.
Microsoft Windows 2003 IAS RADIUS Server: The Internet Authentication Service (IAS) is the
Microsoft implementation of a RADIUS server and proxy. As a RADIUS server, IAS performs
centralized connection AAA for many types of network access. As a RADIUS proxy, IAS forwards
authentication and accounting messages to other RADIUS servers.
2. AUTHENTICATION ON IP TOUCH
2.1 EAP- MD5 Authentication Method
EAP-MD5 does not propose mutual authentication, it only authenticates the supplicant by providing
a login/password couple and does nothing to authenticate the AAA server. (AAA : server program
that handles users' requests for access to computer resources and provides authentication,
authorization and accounting)
After connection and standard “EAP-Request/Identity” phase (Phase 1), the server sends a
challenge text to the supplicant (Phase 2): some string, along with a serial number. EAP MD5
method has been chosen depending on the Identity sent by IP TOUCH.
The supplicant (Phase 3) proves it knows the password by hashing the identifier, the password and
the challenge together and sending the information back. With MD5, the password does not pass
across the wire.
(Phase 4)The server hashes the challenge on its side by using the supplicant's password stored in
its database. If the result is the same, the supplicant is authenticated.
It is very important to note that the exchanges are not encrypted. The challenge text and its
hashing result are directly sent on the network.
This method is vulnerable to dictionary (brute force attacks), Man In the Middle, session hijacking
attacks.
Authentication can be initiated either by the Supplicant PAE or by the Authenticator PAE.
A supplicant PAE may initiate the authentication sequence by sending an “EAPOL-Start” frame. A
supplicant PAE that does not receive an authentication initiation frame from the authenticator PAE
on re-initialization may initiate authentication by sending an “EAPOL-Start” frame.
2.3 IP Touch
IP Touch terminals provide an internal switch which allows to chain one or more devices behind
the terminal to limit the number of network ports needed in an office. The port on which these
devices, most probably a PC, but possibly another terminal, are connected is referred to as the
"PC port".
Warning:
The case where a PC is plugged behind IP TOUCH and also tries to authenticate in an “unique
open” Switch configuration is not supported. It is up to the client to configure properly its
authenticator.
We advise to not use a “global open” switch configuration for security reasons.
PC port security feature brings security protections against possible intrusions in the voice network
of the customer from the PC port. This will be achieved through either completely disabling the PC
port, or by preventing the PC from sending traffic in the Voice VLAN.
This feature is relevant when mixed with 802.1x authentication because 802.1x removes the
possibility for an unauthenticated PC to be directly connected to the access switch.
By default, IP Touch equipped with an internal switch will forward all traffic coming from the PC
port to the LAN port, and the switch is activated by default.
With this PC port security feature, the IP Touch can be configured
- to either block the PC port of the switch, preventing daisy chaining of a PC behind the
terminal, or
- to prevent the device(s) plugged on the PC port to send 802.1q tagged frames, thus
ensuring no Voice VLAN traffic can be sent from illegitimate sources.
The ‘pcport’ function allows to get the current PC port security status and the state stored for
the next startup.
Command: pcport
The PC port command is incompatible with the port mirroring feature. Consequently, when the PC
port security is active, the mirror command is disable.
During IP Touch initialization in dot1x activated mode, some messages are displayed to inform the
user:
Messages:
- Authentication failure: authentication denied RADIUS server unreachable, access is
refused to the terminal on the RADIUS server or the terminal has a bad identity (bad login
and/or password).
- Authentication success: access granted Authentication process is complete. The RADIUS
server grants access to the terminal, the authenticator opens its port.
3. TROUBLESHOOTING
3.1 Introduction
This paragraph gives an overview between the different exchanges which are involved in 802.1x
authentication.
This should help to diagnostic some issues during 802.1x authentication.
This section, is based on the following topology, and all traces, observations, remarks are relative
to this topology.
Remark: As 802.1x exchanges are based on OSI level 2, so, for trace analysis refer only to MAC
addresses
CPU Main
Java
172.25.32.49
UA32
CPU CPU
Java_A Java_B
172.25.32.48 172.25.32.46
Serveur Radius
00:08:02:E5:7A:4F
Switch 172.25.32.164 INTIP A
00:D0:95:D7:45:62 Shared Secret : 172.25.32.45
172.25.32.163 radiuskeyA
Login : admin
Tel :1001
Pass : admin
TDM
Router
172.25.32.1
Radius
name : funk Tel :1000
IP :172.25.32.164 TDM
Shared Secret :
radiuskeyA
Port 9 : 802.1x
00:D0 :95 :D7 :45 :63 Port 11 : 802.1x
Same configuration
as PC2
PC 2
Tel : 1005 Tel : 1006 Tel :1007 Suppliant
Ed.00:80:9F:56:10:AF
08 / 07 January 2011 00:80:9F:56:58:EE 12 00:80:9F:56:09:3E Tel : 1008 TG0028 00:0F :20 :FA :A5 :7E
172.25.32.167 172.25.32.68 172.25.32.90 00:80:9F:3D:48:46 172.25.35.81
802.1x 802.1x 802.1x 172.25.32.93 802.1x
Login :ALCIPT+MAC Login : ALCIPT+MAC Login :ALCIPT+MAC Login: PC+MAC
Pass :radiuskeyB Pass :radiuskeyB Pass :radiuskeyB Shared Secret : radiuskeyC
OmniPCX Enterprise
TROUBLESHOOTING GUIDE No. 28 APPENDIX 0
IP TOUCH ISSUES 802.1x
3.2 Configuration 1
As we can see, in the next Ethereal trace, there is an EAP authentication request by the suppliant
EAP-Start, and without any response, IP Touch will follows its normal process.
3.3 Configuration 2
Remark: For this trace, IP Touch had IP address: 17.25.32.54 and MAC 00:80:9F:56:10:AF
EAP Request
In this case the mechanism begins with a EAP Start (From IP Touch to Switch), then Switch will
respond with a EAP Request, see above, then IP Touch will send its EAP Response where we can
see the IP Touch identity
EAP Response
Identity
What we can also observe is an authentication exchange between the OmniSwitch and Radius
Server. But as the server is not running, the exchange fails
EAP Request
Failure
3.4 Configuration 3
The traces below show a success authentication, and has been done for the same authorization
exchange.
Ethereal trace has been taken on
- Radius Server: to show the exchange between OmniSwitch and Radius server
- On mirroring port: to see the exchange between IP Touch and OmniSwitch
In this paragraph we will show the step by step exchange by remixing the traces above.
OmniSwitch will then forward the Response to Radius Server (EAP Response)
Radius Sever will then propose a challenge (In this case MD5)
Radius Server accepts the challenge (EAP Success), end OmniSwitch will open Controlled Port 9
4. F.A.Q.
4.1 Set stays in phase 2/5
• I don’t know why my set stays in phase 2/5, while on the other hand my Radius Server and
my Switch are correctly configured ?
• It seems that 802.1x hasn’t been activated on the set, and as the set never enter in a
802.1x process to validate the user access (No uncontrolled port reachable), it stays in this
phase 2/5 like (no Ethernet link)
• I don’t have the possibility to validate the 802.1x in the IP Touch MMI ?
• It is necessary to enter a password before to have the possibility to activate the option
802.1x
• Why there is the possibility to deactivate 802.1x directly on the IP Touch without access
control ?
• My Phone is set in 802.1x, but after connection, it pass through the different init phases 1-5
without restrictions ?
• This is the normal behavior of 802.1x . When the set ask for a authentication, and the
switch is not configured in 802.1x, the set will follow its normal startup process.
• In the case that the switch is not configure to manage 802.1x packet, and the IP Touch is
programmed to deliver 802.1x packets, below we will give the Ethereal trace.
Be careful, Ethereal will decode the Packet as Spanning Tree packet (Destination Mac
address shows that it is a 802.1x packet).
Remark: For this trace, IP Touch had IP address: 17.25.32.54
• In the Ethereal traces, like in the picture above, I would like see real MAC address name
and not the decoded name like: “Spanning Tree”
• When Switch port is configured for 802.1x, and there is no Radius Server, or when Radius
server don’t authorize the access to open the port, the IP Touch will stay in phase 5/5, and
then will reset.
• To avoid the risk that someone could steal a MAC address of a set, then associate this
address to a PC, and plug this PC behind a HUB
• it is in charge of the Switch, to restart each “n” time the authentication process
• There is a strange behavior in my ethereal trace because I cannot see EAP or EAPOL
frames in the trace. Example, I want to capture EAP frames between Switch, and IP
Touch: (Number :1007 below) thanks to mirroring on the switch, and I cannot see EAP
Frames, even the phone starts with EAP negotiation.
• See if there is not an Authentication Client which is running on the Ethereal PC, which could
catch the EAP frames. You have to stop the authentication client running on the PC
5.2 Prerequisites
Before to configure you switch in 802.1x, be sure you have the correct version installed on your
switch.
Minimum version is 5.3.1.210.R02
5.3 Configuration
This paragraph will show the command to activate the 802.1x on 6800 Switch
Example
aaa radius-server funk host 172.25.32.164 auth-port 1812 acct-port 1813 key radiuskeyA
Example
aaa authentication 802.1x funk
Example
vlan port mobile 1/9
vlan port 1/9 802.1x enable
Install package
- SBR Admin tool (SBRNT_Admin_53.msi) and
- Server (SBRNT_ALL_53.MSI) on the same PC. (Choose Enterprise Edition)
When finished, run the SBR admin.
In the Servers Connection tab, choose local and connect to the SBR with the admin account.
As the switch and the server communicate, you can see in the Statistics tab a Summary of
authentication between them.
Users tab: define here each IP TOUCH phone and the PC client as Native Users. Click on the Add
button, enter
- the login (login[+mac @]) and
- the password (same as on the terminal) for the IP-Touchs,
- the PC <domain>\ <login_account> and password (same as on the PC) and
save.
To set the PC in the Data Vlan set on the Switch (see Odyssey client configuration):
In the Attributes Return list, click on Add…
- Select the Alcatel-Auth-Group in the list and set the value to the Data Vlan
Odyssey client: PC can directly be plugged on the IP-Touch PC port or on the Switch
Install the Odyssey Client on a Windows XP workstation, check the 30-day trial version box.
When finished, launch the Odyssey Client Manager.
In the menu File Settings -> Windows Logon Settings, check Override…
and After Windows Logon…, a popup window appears and ask you to provide Windows password
(enters the password (same as on the SBR).
Back in the Connection tab, click on the Re-authenticate button, the PC should authenticate.
You can check on the switch and on the server the authentication status of the PC.
Global remark: when you change the SBR configuration, you need to restart the SBR service to
take the changes into account.
To restart the Odyssey client, disable and re-enable it via the menu File.
The table below gives the real link state depending on the devices parameters (invalid parameters
setting are shown darker):
- When both devices are in Auto Negotiation, there is no problem, and 100 Mbps / Full
Duplex is automatically chosen
- When Both devices are set Manually, Same configuration Must be applied.
1. FAILURE SIGNALING
Failure signaling provides the user an indication (a message displayed on the screen) of what is
going wrong on the terminal (most of the time, this is a network problem). Messages displayed are
in English language.
After UDP_LOST timeout without receiving any message from the call server, the terminal indicates to
end user that the signalization link is broken and gives the reason of the failure: if there is a cable
problem between the terminal and the LAN switch, the following message is displayed (A/B/C/D
terminals):
"No Ethernet link"
If there is no problem between the terminal and the LAN switch, the problem could be anywhere else
on the network (cable problem between the LAN switch and the call server, the call server goes
down, etc) the following message is displayed (A/B/C/D terminals):
"Connection lost"
Then, the terminal waits for a CONNECT message. After UDP_LOST_REINIT timeout, the terminal
indicates that it will reset by displaying the following message:
"Reset...please wait"
This last message is also displayed if a reset request (UA3G or NOE message) from the call server is
received by the terminal.
If a duplicate IP address detected (terminal X receives an ARP request and finds that the source IP
address inside that packet is its own IP address), the following message is displayed during five
seconds (A/B/C/D terminals):
"Duplicate IP address"
2. ERROR MESSAGES
The following table indicates the messages and errors displayed during the starting phase (messages
and errors are always displayed in English language).
short text: a short text is displayed on the screen (20 characters max on A terminal),only in case of
real error and not for progress indication (END, STARTED and SUCCESS).
ADD-ON MODULE
1.1. Foreword
This appendix gives the different commands which can be run directly on IP Touch for diagnostic
help. Not all available commands will be given here, only the most useful will be given in this
appendix. Don’t forget that you can use help command for each IP Touch command to discover
the parameters of each command like:
audio help
#audio#
audio [state|channel]
1.2. Shelltool
It is possible to access to the major IP Touch commands thanks to the embedded IP Touch
ShellTool.
ShellTool
For security reason, some functions will not be accessible, by default, through the « IP Touch
Shelltool » The access to this function will be called “limited”. To access to the “limited” functions,
the phone has to receive from the PBX the telnet authorization message. In other words these
commands are only available by telnet.
This command is run on OXE to authorize telnet access on IP Touch. In fact, by default telnet
server is disabled on IP Touch. The telnet execution on an IP Touch, in comparison to IP Phone,
can be run from any network element.
ippstat
>IPP (IP Phone) information :
>-------------------------------------
>Display the IP Address of the local node :1
>……………….
>Ip Phone download Menu : 13
>Timeout for telnet session of NOE set : 14
>INT IP Menu : 15
>Domain Menu : 16
>IPlink Menu : 17
>Status Menu : 18
>Quit this tool :0
2. SOME TROUBLESHOOTINGS
voipstats 0 to read the VoIP statistics (lost packets) of the faulty communication,
ethernetstats lan to check LAN port ethernet statistics (collisions, CRC errors),
voipstats x to read the VoIP statistics (lost packets, delay, jitter) of the faulty
communications,
Put the IPTouch test binaries on the TFTP server and activate the server,
use dwl set to configure the TFTP server IP address, the binary and data file names,
Activation of the syslog server parameters using netlog (in NOE R6 this will be
possible using phone MMI):
3.1. Level
function definition : level [<flux_name> <level>]
The ’Id’ function allows to get information about software version, hardware version, set range and
set type.
• function definition :
− For release 1
id [ soft | boot | hard | range | type | linkdate | full ]
− For release 2
id [ main | soft | data* | boot | load** | hard | range | type | linkdate | full ]
• possible return value (Global view)
The ’dwlmethod’ function allows to get or set the binary download method.
• function definition :
dwlmethod [set no_binary | full]
• possible return value
The ’dwl’ function allows to get or set the binary name and tftp server information and starts a
binary download. The ’start’ describer forces the set to download and use after reset the binary
present on the server.
• function definition :
dwl go | [set] binary | data* | load*** | cust** | L10N** | server | port
• Restriction
“dwl go” not available on NOE IP D with 8Mb SDRAM and one binary (containing data and
code) In some case, “dwl go” can provoke a reset of the phone. To avoid such problem, do not
use this command when applications that needs a great amount of memory runs on the set.
Also, if a set is downloaded during a voice communication, this can disturb the audio quality.
The ’defence’ function allows to get the number of defence flashed or the defence list and allows to
reset the defence list.
The erase command flushes all the content of the defence sectors in the flash, then stores one
defence record with the version and the reset date of the running software.
Example:
defence erase
001-01:04:39.970 DEFENCE: version: 1.12.10 sysdate: 11/02/2004-08:40:28
#defence#
defence OK
• function definition :
defence <value> | erase
Remark:
With the 'date' command, you get the last reset.
NoePhone > date
date
#date#
date reset 15/07/2006-16:10:28
time 17:25:37
ds today 14/09/06
dl today Thu 14 Sep 2006
ds tomorrow 15/09/06
dl tomorrow Fri 15 Sep 2006
date OK
The terminal contains 2 versions. the ’verswitch’ function allows rebooting on the other version at
the next reset of terminal
• function definition :
verswitch
• Restriction
In PROTECT mode, the verswitch checks for signature validity before switching. From a
FULL binary to an EXPORT binary, the verswitch fails. This behavior is normal as the
switching to an export binary or a badly signed binary requires to set the terminal to the no
security mode (BYPASS via the local MMI).
The ’reset’ function allows to reset the set or to erase the flash (except for binary and industrial
parameters: MAC address,...), the customization file or the localization file
• function definition :
reset [flash|l10n|cust]
The ’audio’ function allows to get audio mode information and number of active channel.
• function definition :
audio [state|channel]
The ’rtp’ function allows to get rtp state and local or remote ip address and port
• function definition :
rtp 0|1 [state|direction|locip|locport|remip|remport|encryption]
When the rtp state is idle, the value of direction, locport, remip and remport corresponds to the last
active communication.
The encryption flag set to yes means SRTP is used for this communication. This is meaningful only
in a system protected with Thales boxes. (field available in release 3 or more)
The ’audioconfig’ function allow to get the current configuration of the different devices.
• function definition :
audioconfig [handset|headset|handsfree|loudspeaker|announce|ring]
The ’globalaudio’ function allows to get all information describe in this chapter. (available in
release1 and 2, removed in release 3 or more)
• function definition :
globalaudio
The return value will correspond to the following sequence except for the command
acknowledgment that will be given at the end of the sequence. (the echo function is not
defined but is use to indicate the text that will be displayed):
o echo audio
o audio
o echo rtp 0
o rtp 0
o echo rtp 1
o rtp1
o echo codec 0
o codec 0
o echo codec 1
o codec 1
o echo device handset
o device handset
o echo device handsfree
o device handsfree
o echo device headset
o device headset
o echo ringer
o ringer
o echo voicemode
o voicemode
The ’ipconfig’ function allows to get and set (flash except for TOS and priorities) IP parameters. All
flashed value will be taken into account after reset.
• function definition :
ipconfig [ip|router|mask|tftp|tftpport|cpu|mode|dhcp|vlan|use_vlan]
ipconfig [maincpu|maintftp|survi|save|restore]
ipconfig [set ip|router|mask|tftp|tftpport|cpu|mode|vlan|use_vlan <value>]
* The maincpu option shows the Call Server the terminal is connected to. The maintftp option
shows the elected tftp server.
** The VLAN id value is expressed in decimal and in (hexadecimal).
*** The restore option only works after an ipconfig save command, and only one time (one restore
for each save). maincpu, mainftp, survi, save and restore option are available in release 3 or more.
The ’phy’ function allows to get the actual link properties and to set these link properties. When the
set option is used, the configuration of the link is changed immediately, but those parameters are
note stored in flash, so after a reset, the previous value of the link are used.
• function definition :
phy [lan|pc] | [set lan|pc 10|100|auto half|full|auto]
• function definition :
sdramsize
the ’trcdump’ function allows to get the last UAUDP protocol messages log of the last 3 reset
(except
hardware reset) The message log is limited to 16kB and first message can be truncated. This
message log concerns the UA/UDP messages so it begins with the first connect messages
received
by the phone after reset.
• function definition :
trcdump n
The ’tonedef’ function allows to see the tone definition corresponding to def. tone ua message
• function definition :
tonedef [ < value > ]
The ’rtcpstats’ function allows to get RTCP information during a voice communication.
• function definition :
rtcpstats 0|1 [ rtpout | rtpin | rtplost | rtpjitter | rtplatency | rtcpout | rtcpin | rtpjittermax]
The ’voipstats’ function allows to see the Qos statistics of the 20 last calls (for release 1,1 or more,
only 10 in release 1.0). To take into account a communication, it has to be more than 20 seconds.
Those statistics are not updated during a call but at the end of the call.
• function definition :
voipstats n [ remip | rtpout | rtpin | rtplost | codec | delay | jitter ]
• Terminal applicability
Applicable to IP terminals
The ’ua_udp’ function allows reading counters and status of the ua on udp layer.
• function definition :
ua_udp { stats | status }
examples :
ua_udp status
#ua_udp#
ua_udp_socketed : 1
ua_udp_waiting_for_ack: 0
ua_udp_connect_state : CONNECTED
keepalive : 0 s
lost : 5 s
reinit : 10 s
ua status OK
ua_udp stats
#ua_udp#
Receive Transmit
CONNECT = 1 1
CONNECT_ACK= 1 1
RELEASE = 0 0
RELEASE_ACK= 0 0
KEEPALIVE = 3648 ACK= 3648
DATA = 4 6
ACK = 8 3
NACK = 0 0
DATA_bad = 0
NACK_bad = 0
errors = 0 0
bad content= 0
bad len = 0
bad peer = 0
bad state = 0
ua stats OK
• Terminal applicability:
Applicable to IP terminals
• Terminal applicability
Applicable to IP terminals.
the ’traceroute’ function allows to do a trace route to another IP address (available in release 1.1 or
more)
• function definition :
traceroute < x.x.x.x > | < x.x.x.x > < max hops >
• example
a. traceroute to an IP address that does not respond with default max hops value
traceroute 172.26.168.19
000-00:03:40.550 TRACERT: traceroute to 172.26.168.19, 10 hops max
000-00:03:40.570 TRACERT: 1 172.25.40.8 10ms 0ms 10ms
000-00:03:55.570 TRACERT: 2 * * *
000-00:04:10.570 TRACERT: 3 * * *
000-00:04:25.570 TRACERT: 4 * * *
...
000-00:10:40.570 TRACERT: 9 * * *
000-00:10:55.570 TRACERT: 10 * * *
#traceroute#
traceroute OK
b. traceroute to an IP address that does not respond with max hops value of 5
traceroute 172.26.168.19 5
000-00:03:40.550 TRACERT: traceroute to 172.26.168.19, 5 hops max
000-00:03:40.570 TRACERT: 1 172.25.40.8 10ms 0ms 10ms
000-00:03:55.570 TRACERT: 2 * * *
000-00:04:10.570 TRACERT: 3 * * *
000-00:04:25.570 TRACERT: 4 * * *
000-00:10:40.570 TRACERT: 5 * * *
#traceroute#
traceroute OK
c. traceroute to an IP address that does respond
traceroute 155.132.33.12
000-00:00:36.220 TRACERT: traceroute to 155.132.33.12, 10 hops max
000-00:00:36.240 TRACERT: 1 172.25.40.8 10ms 0ms 10ms
000-00:00:36.240 TRACERT: 2 155.132.205.207 0ms 0ms 0ms
000-00:00:36.250 TRACERT: 3 155.132.142.100 0ms 0ms 0ms
000-00:00:36.290 TRACERT: 4 139.54.237.173 10ms 20ms 10ms
000-00:00:36.330 TRACERT: 5 139.54.255.2 10ms 10ms 20ms
000-00:00:36.360 TRACERT: 6 172.26.1.251 10ms 10ms 10ms
000-00:00:36.420 TRACERT: 7 155.132.33.12 20ms 10ms 20ms
#traceroute#
traceroute OK
• Terminal applicability
Applicable to IP terminals
The ’arpshow’ function allows to get the ARP table of the terminal. (available in release 2 or more)
• function definition :
arpshow
• examples
a. arpshow with release 2
arpshow
002-17:40:42.480 ARP : LINK LEVEL ARP TABLE
002-17:40:42.480 ARP : IP Address Mac adress Flags Use Interface
002-17:40:42.480 ARP : -----------------------------------------------------------
002-17:40:42.480 ARP : 172.26.176.8 00:20:da:ff:68:ff 0x0405 0 bcm0
002-17:40:42.480 ARP : 172.26.176.12 00:80:9f:32:9d:6d 0x0405 26305 bcm0
002-17:40:42.480 ARP : -----------------------------------------------------------
#arpShow#
arpShow OK
b. arpshow with release 3
arpshow
002-17:40:42.480 PCD : LINK LEVEL ARP TABLE
002-17:40:42.480 PCD : IP Address Mac adress Flags Refcnt Use Interface
002-17:40:42.480 PCD : --------------------------------------------------------------
----
002-17:40:42.480 PCD : 172.26.176.8 00:20:da:ff:68:ff 0x0405 1 0 bcm0
002-17:40:42.480 PCD : 172.26.176.12 00:80:9f:32:9d:6d 0x0405 2 26305 bcm0
002-17:40:42.480 PCD : --------------------------------------------------------------
----
#arpShow#
arpShow OK
• Terminal applicability
Applicable to IP terminals
The ’routeshow’ function allows to display the current routing information contained in the routing
table. (available in release 3 or more)
• function definition
routeshow
a. example
routeshow
000-00:00:57.660 PCD : ROUTE NET TABLE
000-00:00:57.660 PCD : destination gateway flags Refcnt Use Interface
000-00:00:57.660 PCD : --------------------------------------------------------------
---
000-00:00:57.660 PCD : 0.0.0.0 172.26.176.8 0x0003 1 0 bcm0
000-00:00:57.660 PCD : 172.26.176.0 172.26.176.40 0x0101 1 0 bcm0
000-00:00:57.660 PCD : --------------------------------------------------------------
---
000-00:00:57.660 PCD : ROUTE HOST TABLE
000-00:00:57.660 PCD : destination gateway flags Refcnt Use Interface
000-00:00:57.660 PCD : --------------------------------------------------------------
---
000-00:00:57.660 PCD : 127.0.0.1 127.0.0.1 0x0005 0 0 lo0
000-00:00:57.660 PCD : 172.26.163.79 172.26.176.8 0x0007 1 27 bcm0
000-00:00:00.660 PCD : --------------------------------------------------------------
---
#routeShow#
routeShow OK
• Terminal applicability
Applicable to IP terminals
the ’ifshow’ function allows to display the attached network interfaces for debugging and diagnostic
purposes (available in release 3).
• function definition
ifshow
• example
ifshow
000-00:15:34.250 PCD : bcm (unit number 0):
000-00:15:34.250 PCD : Flags: (0x68043) UP BROADCAST MULTICAST ARP RUNNING INET_UP
000-00:15:34.250 PCD : Type: ETHERNET_CSMACD
000-00:15:34.250 PCD : inet: 172.26.176.40
000-00:15:34.250 PCD : Broadcast address: 172.26.176.127
000-00:15:34.250 PCD : Netmask 0xffff0000 Subnetmask 0xffffff80
000-00:15:34.250 PCD : Ethernet address is 00:80:9f:56:02:63
000-00:15:34.250 PCD : Metric is 0
000-00:15:34.250 PCD : Maximum Transfer Unit size is 1500
000-00:15:34.250 PCD : 0 octets received
000-00:15:34.250 PCD : 0 octets sent
000-00:15:34.250 PCD : 179 unicast packets received
000-00:15:34.250 PCD : 57 unicast packets sent
000-00:15:34.250 PCD : 0 non-unicast packets received
000-00:15:34.250 PCD : 2 non-unicast packets sent
000-00:15:34.250 PCD : 0 incoming packets discarded
000-00:15:34.250 PCD : 0 outgoing packets discarded
000-00:15:34.250 PCD : 0 incoming errors
000-00:15:34.250 PCD : 0 outgoing errors
000-00:15:34.250 PCD : 0 unknown protos
000-00:15:34.250 PCD : 0 collisions; 0 dropped
000-00:15:34.250 PCD : 0 output queue drops
#ifShow#
ifShow OK
• Terminal applicability
Applicable to IP terminals
The ‘netlog’ function allows to configure an network syslog server on which the debug flux will be
send. It also allows to set the debug flux level and enable or disable the debug link. (available in
release 4 or more)
• Function definition
netlog [<live|boot>_<disable|enable> | <list|save|dump>_config| {server <addr>} | {config
<n>} | {uptime <minutes>} | {dump_config <n>}]
• Remark:
a. the running parameters indicates if the external syslog redirection is currently active
b. the service parameters indicates if the external syslog redirection will start after next
reset
c. the syslog redirection will last for the programmed timeout duration. Maximum
timeout value is 23040 seconds.
d. When the service is activated, if the phone resets before the time left reach 0, the
syslog redirection will restart for the program timeout duration, else the syslog
redirection will not restart.
e. The live_<enable|disable> allows to activate the syslog redirection immediately.
f. The boot_<enable|disable> allows to activate the syslog redirection at next restart of
the phone
• Terminal applicability
Applicable to IP terminals
3.29.1. Exemple
1. First enter the IP address of the syslog server from client site
netlog server <addr>
3. Then, you might want to set up the level of the debug traces sent to the
syslog server.
a. netlog list_config
CONFIG_CURRENT = 1,
CONFIG_VERBOSE = 2,
CONFIG_FLASHED = 3,
CONFIG_UA_ONLY = 4,
CONFIG_TRACE_INIT = 5,
This command prints the debug levels associated to the config number
entered.
Enable the service on the set. If the phone resets the service is
automatically stopped.
5. It is also possible to ask for the activation of the netlog after each
reboot of the terminal.
netlog boot_enable
If the phone resets before the end of the timeout, the syslog redirection
will restart for the programmed timeout duration. When the timeout is
reached the service is automatically stopped.
netlog live_disable
netlog boot_disable
The ’mirror’ function allows to get the actual ports mirroring state and to set the mirroring state on
these ports (copy port traffic towards PC port). (available in release 2 or more)
• function definition :
mirror [set lan | smp | idle ]
• Terminal applicability
Applicable on IP terminals only (Not available on Z phone)
Remark:
The switch behavior must be such that the frames are mirrored with the tag unchanged,
unless the software has enabled the VLAN remove/replace bits in the Configuration
Register. The settings in the VLAN Configuration Register control how tagged and non-
tagged frames are handled.
To mirror all frames as they are received without modifying any tags, the switch should not
be enabling bits in these registers or the 802_1PQ_Enable bit. Mirrored frames will be
copied without any tag modifications provided the software is not setting the bits in the
VLAN Configuration Register. Therefore, no special modifications to the software need to
be made to mirror frames just as they arrive.
In that case, the traffic mirrored on PC port (from LAN or SMP) is exactly the same as the
one received.
Caution:
The PC port is still participating in the bridging while the mirroring feature is set. Some
traffic received on PC port will be received twice and may need to be filtered in the
application on the PC/probe sets on that port for trace.
This is true only to the packets that have not been learned by the ARL (Address Resolution
Logic) table yet. Only these packets will be flooded to both the SMP and PC port.
Therefore, only these unlearned packets will be received twice - one from flooding and the
other from mirroring.
Restriction:
The port mirroring feature is incompatible with the PC port security feature. Consequently,
when the PC port security is active, the mirror command which activates the port mirroring
feature is not usable, and an error message is issued when this command is used.
Management:
It is possible to activate a port mirroring between the LAN port and the PC port on the IP
Touch.
In this way all information coming on the LAN port will be forwarded to PC port.
ippstat telnet d 77116 t 10 (to enable telnet on 77116 set for 10 minutes)
ippstat d 77116 (in order to read phone information (including its IP address))
telnet 172.25.34.240 (use the IP address of the phone you read from the previous
command)
Since R8.0, the mirroring PC port is not activated by default. It is necessary to modify some
parameters on the OmniPCX Enterprise system:
Alcatel 8&9 Series > Alcatel 8&9 classe of service > Phone COS
Set the State PC Port parameter to Enable Port.
NoePhone > mirror set lan (to activate the mirroring; the configuration will be lost if
IP Touch reboots).
NoePhone > mirror set idle (to disable the mirroring).
The dos function could return a summary with the different attacks detected since the last reset. It
show too the different thresholds for DOS protection activation.
• function definition
dos [summary]
4. BLUETOOTH MANAGEMENT
The ’bthid’ function allows to get the bluetooth handset software version
• function definition :
bthid
• possible return value
The ’btstate’ function allows to get the bluetooth handset and headset state
• function definition :
btstate handset|headset [logical|link|range]
The ’thalsec’ command allows to get/reset security parameters related to the Thales security
feature.
• function definition :
thalsec show | keys | padck | { reset bypass|full }
The “padck” option returns Correct if the padding value is correct for this terminal.
** The “thalsec reset bypass” causes the terminal to return to bypass mode without deleting the
PSKp possibly installed. This has the same effect as receiving a lanpbx file indicating BYPASS
security mode.
*** The “thalsec reset full” restores the factory security settings, i.e. the terminal returns to BYPASS
mode and the PSKp is removed. This has the same effect as restoring defaults from the MMI.
The ’ipsec’ command allows to display the IPsec Security Policy and Security Associations
databases, often referred to as SPD and SADB respectively.
• Function Definition
ipsec spdshow | ikep1 | ikep2 | sadbdump
• Examples
’ipsec spdshow’ displays the IPsec SPD:
SPD
INBOUND
Proto Destination Port/ Source Port/
Destination Address Source Address Mode
------------------------------------------------------------------
UDP 1024 ANY BYPASS
172.25.40.172 172.25.40.173
UDP 500 500 BYPASS
172.25.40.172 172.25.40.173
ANY 172.25.40.172 172.25.40.173 TRANSPORT
UDP 500 500 BYPASS
172.25.40.172 0.0.0.0/0
50 172.25.40.172 0.0.0.0/0 BYPASS
51 172.25.40.172 0.0.0.0/0 BYPASS
UDP 68 ANY BYPASS
0.0.0.0/0 0.0.0.0/0
OUTBOUND
Proto Destination Port/ Source Port/
Destination Address Source Address Mode
-------------------------------------------------------------------
UDP ANY 1024 BYPASS
172.25.40.173 172.25.40.172
UDP 500 500 BYPASS
172.25.40.173 172.25.40.172
ANY 172.25.40.173 172.25.40.172 TRANSPORT
UDP 500 500 BYPASS
0.0.0.0/0 172.25.40.172
50 0.0.0.0/0 172.25.40.172 BYPASS
51 0.0.0.0/0 172.25.40.172 BYPASS
UDP 67 ANY BYPASS
0.0.0.0/0 0.0.0.0/0
6. PC port management
The ‘pcport’ function allows to get the current PC port security status and the state stored for the
next startup.
• function definition
pcport
7. 802.1x AUTHENTICATION
The ‘dot1x’ function allows to get the current 802.1x configuration and status. This command is
available since the Release 6.
• function definition
dot1x
• possible return value
• The “MAC Addr” information is only displayed if the “MAC Use” is set to “ON”. MAC
address is expressed in hexadecimal (6 digits).
When the terminal must be reset (software anomaly or call server request), the reset cause is logged
in flash memory (date + message).
During the reset phase, the internal switch becomes not operational during 3 s.
The cause of the reset of an IP Touch can be obtained via the embedded command "defence " (see
Appendix 4).
The table below gives the different causes:
Hereafter, an example of result of the command "defence 99" which shows two cases of reset.
The cause of reset is also reported in the system incident 426 at OXE level.
Example:
03/03/05 23:05:50 000001M|00/00/0/000|=4:0426=NOE terminal reset
13,(0,0),00:80:9f:56:74:b8:00,
SNIFFER TRACES
WireShark (New name for Ethereal) is an open source IP network sniffer and protocol analyzer.
It is available at http://www.wireshark.org/ for free download.
Normally an IP Sniffer trace is done behind a Hub (or tap) to capture all the traffic from OXE to the
IP Touch, or thanks to mirroring on the Switch.
With the IP Touch, there is a third solution using the mirroring feature of the internal IP Touch Switch
Trace with a Hub Trace with Switch Mirroring Trace with IP Touch Mirroring
After authorization of IP Touch telnet function, the ’mirror’ function allows to get the actual ports
mirroring state and to set the mirroring state on these ports (copy port traffic towards PC port)
(available in release 2 or more).
The switch behavior will be such that the frames are mirrored with the tag unchanged.
The PC port is still participating in the bridging while the mirroring feature is set. Some traffic
received on PC port will be received twice and may need to be filtered in the application on
the PC/probe sets on that port for trace. This is true only to the packets that have not been
learned by the ARL (Address Resolution Logic) table yet.