Avaya 9611G/4610SW VPN to PA-500

Reply
L1 Bithead

Re: Avaya 9611G/4610SW VPN to PA-500

We currently have 5 or 6 9611G models operating without issue.  What model are you working with?

On the phone itself, our settings of note are:

VPN Vendor is set to Other

Encapsulation is set to 4500-4500 (this caused issues if set otherwise)

IKE ID is KEY_ID

We never had any success with the 4600 series IP phones, so if you are using these, you may be out of luck.  As long as you have the VPN version of the firmware on the 9600s, you can navigate the settings by pressing * to program and then VPN for the access code, or the default Avaya security code of 27238.

L4 Transporter

Re: Avaya 9611G/4610SW VPN to PA-500

I got you, I was more or less suggesting that just to see if it'd work at all, I understand that's not really a palatable long term solution.

L4 Transporter

Re: Avaya 9611G/4610SW VPN to PA-500

Thanks for the response and the help. That's good to hear you have some working. I was beginning to think it wasn't possible. We are using the 9620L model. I changed the Encapsulation to 4500-4500 as you suggested. It wasn't previously set that way though. Didn't seem to do the trick unfortunately. The firewall shows me the error I have attached. I am not sure how to configure the KeyID in the PA's Global Protect configurations to match the phone. How did you handle that?

L4 Transporter

Re: Avaya 9611G/4610SW VPN to PA-500

Well, I finally threw in the towel. After many days (probably more like weeks) of troubleshooting and testing we just decided to purchase a firewall from a different vendor. From firewall install to working phone was about 3 hours. Too bad I couldn't get this working on Palo Alto, that's one of the reasons we bought them. Thanks to those who offered help.

Highlighted
L1 Bithead

Re: Avaya 9611G/4610SW VPN to PA-500

Hi - did you try disabling "Skip Auth on IKE Rekey" under the Gateway --> Client Configuration --> Tunnel Settings

L1 Bithead

Re: Avaya 9611G/4610SW VPN to PA-500

Hello, was there every any discussion about making GlobalProtect compatible with the Avaya phones. Just recently tried it with the settings discussed in the forums, but could not get past Phase 1.

L1 Bithead

Re: Avaya 9611G/4610SW VPN to PA-500

In order to get the Avaya 96xx IP phones to connect to a GlobalProtect gateway, I found there are certain settings that need to be configured on the phone in order to make it work.  I spent about 3 days going through different configuration setups and what I found was that the phones will auto-negotiate the IKE Phase-1 parameters, but for some reason will not negotiate the Phase-2 parameters automatically.  The solution that worked for me was setting the following parameters in the 46xxsettings.txt file used to program the phones via http.

 

SET NVVPNMODE 1

SET NVIKECONFIGMODE 1
SET NVIKEIDTYPE 11
SET NVIKEXCHGMODE 1

SET NVVPNAUTHTYPE 4

SET NVSGIP "vphone.yourdomain.com"  (I recommend using FQDN if possible.  Static IP can cause challenges later if ISP changes)

SET NVVPNPSWDTYPE 1

SET NVVPNENCAPS 0

SET NVIKEPSK "your-psk-password-here"

SET NVIKEID "vpnphone@yourdomain.com"  (This is also referred to as the Group Name)

SET NVIKEDHGRP 2

SET NVIKEP1ENCALG 0

SET NVIKEP1AUTHALG 0

SET NVIKEP2ENCALG 5  (manually sets Phase-2 IKE to aes-256)

SET NVIKEP2AUTHALG 2  (manually sets Phase-2 auth to SHA-1)

SET NVPFSDHGRP 0  (this is important - none of the P2 settings above would have any effect until PFS was disabled)

SET NVIKEP1LIFESEC 86400  (phone defaults to 432,000s, which is 5 days - I set here to 1 day or you can keep default)

SET NVIKEP2LIFESEC 86400

 

This will work with the 96xx series of Avaya IP phones and I can provide additional details/notes in case anyone is looking to connect one over a VPN connection to a GlobalProtect gateway.  I had to migrate the configuration from a Juniper SSG firewall to Palo Alto PA-850 , which provided some challenges since there really is no Avaya documentation or support information available that discusses setting up a VPN phone on the Palo Alto platform.  Good Luck!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!