Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DarkForti
New Contributor

Created on ‎12-14-2015 12:46 PM

TFTP Server Option150

Hello, 

 

I am did the following on my of the DHCP Scope I created and it links to our TFTP server for Cisco Phone 

 

Currently on the phone it picks up the DHCP and TFTP Server but on the firewall 

 

config system dhcp server

    edit 3

        set forticlient-on-net-status disable

        set default-gateway 10.15.x.x

        set netmask 255.255.255.0

        set interface "port36"

            config ip-range

                edit 1

                    set start-ip 10.15.x.x

                    set end-ip 10.15.x.x

                next

            end

        set timezone-option default

        set option1 150 'IP HEX OF MY ' 

        set dns-server1 X.X.X.X

        set dns-server2 X.X.X.X

set netmask X.X.X.X

    next

end

Labels:
16519
0 Kudos
10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-14-2015 01:54 PM

Are you saying "a firewall", in addition to Cisco Phones, is in the same DHCP scope as a client and supposed to pull TFTP server IP via Option 150? I thought Option 150 was Cisco proprietary. All of other devices I know use Option 66 instead.

4638
DarkForti
New Contributor
In response to Toshi_Esumi

Created on ‎12-14-2015 06:26 PM

Toshi - Basically what happen is a created a Voice DHCP for the Cisco 7960G

 

It will get the DHCP IP but cannot find the TFTP Server - I have to add the Option 150 for the phone to pickup a TFTP Server

 

So have anyone setup a Fortigate that talks back to Call Manager for the Cisco phone to register ? I know it works if I add the TFTP address manually on the phone - but what happens If i am setting up a office with a Cisco Switch..

 

Currently right now the firewall log is saying the SCCP is timing out

 

Any help would be greatly appreciated 

4638
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to DarkForti

Created on ‎12-15-2015 08:42 AM

Did you convert the IP address from the dotted-decimal notation to a binary value before converting it to HEX? That's a common mistake I found even some config discussions on the internet. Cisco phones expect binary IP address instead of ASCII format of dotted decimal notation. We had the same problem when we started deploying FG60D to our Cisco phone customers.

4638
DarkForti
New Contributor
In response to Toshi_Esumi

Created on ‎12-15-2015 08:49 AM

yep that is how i got that number we on the same page LOL 

 

Can you show me some of your sample config for your if possible...

4638
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to DarkForti

Created on ‎12-15-2015 09:06 AM 

Below is what I put on our internal wiki to deploy. We use vlan2 for "voice" interface. It's working.

config system dhcp server
    .
    .
    edit 2
        set default-gateway x.x.x.0 
        set netmask 255.255.255.0
        set interface "voice"
            config ip-range
                edit 1
                    set start-ip x.x.x.1
                    set end-ip x.x.x.249
                next
            end
        set option1 150 '45aabf06' <--Note1
        set option2 66 '45aabf06'
        set dns-server1 69.28.97.4      <--Note2
        set dns-server2 69.28.104.5     <--Note2
    next
end

Note1: '45aabf06' is a binary value of the IP address "69.170.191.6".

Note2: To be able to configure DNS server IPs, you need to configure "set dns-service specify" first.

4638
DarkForti
New Contributor

Created on ‎12-14-2015 06:21 PM

Hello Toshi - so basically when i give the Cisco 7960G a Voice DHCP - the TFTP on the physical phone will never register with the Cisco TFTP Server 

 

So I found on a forum to convert the TFTP IP to Hex Address so I added this line 

 

set option1 150 'IP HEX OF MY ' 

 

Now the phone boots up and picks up the TFTP but I have another issue where SCCP is being block even though it is enable. Firewall Log keeps saying it times out ...

 

That is why I am curious if anyone have gotten the Cisco phone to register back with CUCM ...

 

Also have anyone verify if the POE ports on the 140D can power on a Cisco phone? I know Airtight you can.. 

 

 

4638
0 Kudos
DarkForti
New Contributor

Created on ‎12-15-2015 02:08 PM

still timing out  - did you have to specify anything in service? and firewall ?

 

My in and out basically is very basic that can talk to everything on the network....

 

The Advance DHCP has the list TFTP any suggestion ?

 

Routing, etc i need to do and i assume your dhcp is from the fortinet device itself ? I still need to figure out how to DHCP using our DC for DHCP Scope (the relay I tried does not seem to work)...

 

 

 

4638
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to DarkForti

Created on ‎12-15-2015 02:26 PM

DHCP service doesn't require any policy. If you configure it as shown the exact info should go out through the interface. If you have doubt, you can set up a mirror port(SPAN) and hook up a laptop to sniff the DHCP handshake packets.

I would also recommend you compare this with any Cisco router's DHCP if you have any. My guess is the cisco phones don't work even with a Cisco router. Beyond that you probably you need to ask at Cisco's forum or somewhere.

4638
DarkForti
New Contributor
In response to Toshi_Esumi

Created on ‎01-04-2016 11:39 AM

One last question Toshi - did you have to do any static rout to your CUCM Call Manager ?

 

 

4638
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.