Upgraded V5.31 (USG20w-VPN) from FW 4.65 (Standby Space) Now Blocks Port 4500

Options
SierraTech
SierraTech Posts: 34  Freshman Member
First Anniversary 10 Comments Friend Collector
Greetings:

I have had this issue before on older firmware (4.33).

FW 4.65 has worked solid for a year, to keep iPhones connected to Verizon WiFi Calling. We have virtually no cell coverage (Lake Tahoe), especially when tourist are here in the thousands using our small bandwidth, so I must rely on WiFi Calling.

I updated to FW 5.31(ABAR.0) yesterday (standby partition), and rebooted router

I have APs setup throughout the home, so I can roam with my Cell Phone and never dropped a call using Wi-Fi calling feature, but as of yesterday it connected for a short time, but now it refuses to connect to Verizon Server due to being blocked by Firewall (see Photo of logs).

It looks like I will have to reboot onto 4.65 FW to restore my WiFi calling service. Has there been something added to newer firmware I have missed? I can't run my business this way, and have to rely on my Uverse Fiber Phone.

I attached photo of logs showing Port 4500 being blocked.
«1

All Replies

  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    IP highlighted is trying to connect to port 1090.
    Any security policy allow that?
  • CHS
    CHS Posts: 181  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    The Verizon WiFi Calling seems working with IPSec VPN tunnel.
    https://community.verizon.com/t5/Verizon-Wireless-Services/What-are-the-wifi-calling-firewall-ports-and-destination-IP/td-p/1080659

    Did you create Port Forwarding(NAT) rule to mapping IPSec VPN traffic from WAN zone to your iPhone?
  • SierraTech
    SierraTech Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    @mMontana

    IP highlighted is trying to connect to port 1090.
    Any security policy allow that?

    The Port it wants to forward to is not always the same port number.  It use to forward to 23855 in FW 4.60.  Previously the connection (FW 4.65) worked flawlessly with PEER to PEER Media Connection (ALG) unchecked, made a difference from not working to working for a year, without any special Port Forwards (plus there are more than 1 iPhone, so I can't do a dedicated Port Forward to a Host).
  • SierraTech
    SierraTech Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    @CHS

    How would I accomplish this to more than 1 iPhone? 

    I have read the article you posted, but the only VPN I have setup in the past was a "NAILED-UP" VPN Connection between two computers  for Radiologist Review of X-RAYS.

    Not sure how to forward to more than one iPhone.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @SierraTech
    The reason could be it kept the old sessions on your cell phone, so USG blocked the sessions which doesn't exist any NAT sessions(flush all of session after reboot).
    You could have a try to:
    (1) Disable WiFi calling service and disconnect WiFi connection on your cell phone.
    (2) Reboot USG and your cell phone.
    (3) Connect to WiFi after USG booting up.
    (4) Enable WiFi calling service.

    It could force cell phone re-initials registration session from Intranet to Internet. Then USG will have the NAT sessions for WiFi Calling service, and incoming packet will forward to correct phones.
    Or you can follow vzw_customer_support suggestion have a try again.
  • SierraTech
    SierraTech Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi @Zyxel_Stanley

    The Above procedure did not work! I Tried it Twice. Switching to Airplane Mode would sometimes connect, but then disconnect. I even rebooted all network switches and access points.

    I finally switched back to 4.65 in Standby partition and it connected to VZW-WiFi but disconnected. Started Blocking Port 4500.  I rebooted the nearby access point and it has reconnected (I may need to reboot all access points and Switches again).

    If I recall it took a while For WiFi calling to become stable on 4.65. It has been over a week on I was on 5.31 and I could not rely on it. Today my phone has shown "NO SERVICE", hence I thought I would roll back to 4.65. When it disconnected on 4.65 it was blocking a different port on destination phone (new session as you described).

    I will run 4.65, I will reboot devices on network and see if it returns to original solid behavior.  I will post results.

    Below First two photos from iPhone on 5.31

    Last one is from 4.65...


     

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @SierraTech
    If there is additional access point products in your network environment, you may have a check if your APs are working in router mode or bridge mode.
    We will suggest changes to bridge mode, it could prevent double-NAT situation.
  • SierraTech
    SierraTech Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hello again @Zyxel_Stanley ,

    The AP's do not act as a Router (I have assigned them to use the Router as a Gateway), they rely on USG20W-VPN to assign DHCP (and they have integrated 4-Port Switch so I can connect devices to them via Ethernet).

    Since rolling back to 4.65, Wifi Calling has been solid for 17 hours, and I can make and receive calls.

    So something is amiss with 5.31.  Not sure what version of firmware this issue started on, since I upgraded  to 5.30 first and had problems as well.

    I skipped all the firmwares between 4.65 and 5.30 (5.20, 5.21 various) due to lack of time, and fear I might have WiFi Calling issues.

    This is why I kept 4.65 in standby, so I could switch back. Glad I did.  So this problem creeped in after 4.65.

    On 5.31, I had disconnected all APs except the USG20W AP, and I couldn't maintain WiFi Calling connection while nearby (2.4MHz band)  router.

    So something has happened since 4.65 that has broke WiFi calling again blocking port 4500. You can see I had the same issue on 4.60 (posted on this forum) posted in November 2020.

    Screen Capture below was from this morning on 4.65!


    I can walk all through the home, and maintain a solid WiFi calling connection on 4.65!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @SierraTech
    There is one of client resolve the issue by enable UPnP function.
    If the issue still exist, you may collect packets on WAN and LAN interface in the same time after enabling WiFi Calling function on your iPhone.
  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Zyxel_Stanley personally I'm really unconfortable and I feel unsafe enabling uPNP on a firewall device.

Security Highlight