Zyxel GS 1900 <-> UDM-PRO Voice VLAN Problem

jst68

I have connected a Yealink T46S to port 8 of my 1900-8 switch. It seems to get an IP address using DHCP, but the phone cannot connect to its server.

I have read quite a few posts before posting here and believe my configuration should be fine.

Port1 is connected to the UDM-PRO and port 8 is connected to the YealinkT46-S. All other ports are connected to desktop, laptops and printers.

Here are some screenshots of my VLAN configuration.

I hope I have captured all relevant information. The UDM-PRO shows me that the phone has an IP in the voice VLAN subnet and I can connect to its admin interface using that IP. It just seems to block any data going to the phone server.

If my switch configuration is fine, I will open a question with Ubiquiti to determine if there is anything blocking my data, but data seems to cross to other subnets just fine.

Zyxel_Kay

Hi @jst68

Your switch GS1900-8's configuration appears to be correct, and we replicated your setup using the Zyxel Firewall USG FLEX 100, Switch GS1900-8, and a Yealink IP Phone T19-E2 for testing.

Based on our test, the IP Phone successfully obtained a VLAN10 DHCP IP from the DHCP server. Additionally, we conducted a PING test from the server to the IP Phone, confirming that traffic between the two devices is indeed being forwarded as expected.

Regarding the switch, we were able to verify that the IP Phone's MAC address appears in the switch's MAC table, specifically in VLAN10. This indicates that the switch is indeed receiving traffic from the IP Phone.
You can check this information by navigating to the switch's local web GUI > Monitor > MAC Table to confirm whether your IP Phone is listed in the Switch MAC table.

If further assistance is needed, you may want to reach out to Yealink or Unifi support for more specific insights.

jst68

Nevermind. A nice person on Discord helped me doing a tcpdump and then I figured that traffic got blocked by an outdated IPSec tunnel.

The problem is finally solved! :)

Zyxel_Kay

Hi @jst68

To resolve the issue with your Yealink T46S phone not connecting to its server, it's important to ensure that your VLAN configuration is correctly set up. Based on the information you've provided and your switch configuration, it seems like you're on the right track.

Here's a revised configuration recommendation for VLAN10:

• Port 1: Tagged
  

By setting Port 1 as tagged, you allow traffic from VLAN10 to pass through it, which is essential for the phone to connect to the server.

Feel free to reach us if there is any question.

jst68

Thank you for your response @Zyxel_Kay!

Unfortunately, this did not solve the problem. I mean I understand that this is a complex problem since it involves hardware from multiple vendors.

Any other suggestions?

Zyxel_Kay

Hi @jst68

To assist you further, could you please share with us your IP phone's configuration?

jst68

I can share that tomorrow, but I am basically using auto provisioning

Zyxel_Kay

Hi @jst68

You may find the IP phone’s configuration by accessing its local web GUI. If possible, please share with following information:

1. The screenshots of “Status” and “Network > Advanced” interfaces on IP Phone’s web GUI.
   
2. It would be helpful if you could provide a network topology diagram. Please indicate where the IP phone's server is connected in relation to the switch and other network devices.

Thank you for your cooperation.

jst68

For 1.

For 2.

The phone server is remote (cloud based) and so it doesn't show on the network topology diagram I can generate in the UDM PRO UI. I also didn't include it because many labels use descriptions that could potentially endanger my network to attacks.

Additional information:

• I am also running another SIP phone (Yealink W60B) on the same VLAN and it works fine, but it is directly connected to the UDM PRO; I am assuming that means that the DHCP/VLAN network is working, right?

My DHCP server for the voice VLAN.

As you can see "Isolation" is turned off. If enabled, it isolates the VLAN by disabling traffic to other subnets.

Zyxel_Kay

Hi @jst68

Your switch GS1900-8's configuration appears to be correct, and we replicated your setup using the Zyxel Firewall USG FLEX 100, Switch GS1900-8, and a Yealink IP Phone T19-E2 for testing.

Based on our test, the IP Phone successfully obtained a VLAN10 DHCP IP from the DHCP server. Additionally, we conducted a PING test from the server to the IP Phone, confirming that traffic between the two devices is indeed being forwarded as expected.

Regarding the switch, we were able to verify that the IP Phone's MAC address appears in the switch's MAC table, specifically in VLAN10. This indicates that the switch is indeed receiving traffic from the IP Phone.
You can check this information by navigating to the switch's local web GUI > Monitor > MAC Table to confirm whether your IP Phone is listed in the Switch MAC table.

If further assistance is needed, you may want to reach out to Yealink or Unifi support for more specific insights.

jst68

It is getting an IP address which I can see on the UDM -PRO.

I can also see the configuration working in a sense that it points the phone to the voice VLAN. hHere is a screenshot showing that.

Y phone is connected to port 8 of the switch.

I can also see ait in the UDM-PRO, but it fails to connect to the 3cx cloud..

From my point of view, all this shows me that the "blocking" takes place in the UDM-PRO and not the Zyxel switch. As such, I will create a post on the Ubiquiti community to resolve this.

Thank you for your help!

jst68

Ok. I have worked with Ubiquiti support and they had me plug my switch uplink cable into the phone directly which worked right away. As a result, I couldn't help but agree with them that the issue is likely with the switch. They also took a look at my other configuration, and everything looks good.

So, what else can I try? It's hard to believe that I am the only person with this problem.

jst68

Nevermind. A nice person on Discord helped me doing a tcpdump and then I figured that traffic got blocked by an outdated IPSec tunnel.

The problem is finally solved! :)