Appendix 1: Common Causes for IP Phones' Login Failures and Workaround

157 0 0 0

The following describes common causes.

Cause 1: An Avaya Phone Cannot Go Online Because It Cannot Obtain an IP Address Within 60s

The Avaya phone fails to obtain an IP address through DHCP within 60s due to the network delay or other causes. After the timer expires, the Avaya phone sends packets tagged with VLAN 0 repeatedly. The switch processes packets tagged with VLAN 0 in the same manner as untagged packets, that is, in the VLAN specified by the PVID of an interface. Such packets are not processed in the voice VLAN. As a result, the Avaya phone fails to be authenticated and cannot connect to the switch.


  • Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-based voice VLAN. The switch then adds the voice VLAN ID to untagged packets so that the packets can be forwarded in the voice VLAN. For details, see (Recommended) Interoperation Between Switches and IP Phones Through the OUI-based Voice VLANFor the fixed switches (S5720EI, S6720EI, S6720S-EI), and modular switches (excluding X series cards), you can also use the voice-vlan vlan-id enable include-tag0 command to enable the voice VLAN for packets tagged with VLAN 0 in V200R010 and later versions.
  • Method 2: Modify the value of the VLAN TEST timer of the IP phone: Press the star key (*) and enter the password to access the menu. Select VLAN TEST and change the default value to 0 (no timeout). After the Avaya phone restarts, the timer settings are no longer effective and must be reconfigured.

Cause 2: An Avaya Phone Cannot Go Online When It Uses MAC Address Authentication and the Switch of an Earlier Version of V200R003C00 Is Enabled with MAC Address Bypass Authentication

The switch enabled with MAC address bypass authentication performs MAC address authentication only when the timeout interval of the 802.1X client is exceeded. In earlier versions of V200R003C00, the timeout interval of the 802.1X client is 30s. That is, MAC address authentication is performed after 30s. The value of the timer of the Avaya phone is 60s. If the Avaya phone fails to be authenticated within 30s, it sends only packets tagged with VLAN 0. As a result, the Avaya phone cannot go online.


<HUAWEI> system-view [HUAWEI] dot1x timer client-timeout 5  //Change the authentication timeout interval of the client to 5s to increase the MAC address authentication time. 

Cause 3: An IP Phone Cannot Go Online Because the VLANs for Authentication and Forwarding Voice Flows Are Different

An IP phone cannot go online because the VLANs for authentication and forwarding voice flows are different. The root cause is that the switch forwards only packets from the authenticated VLAN but discards packets from the non-authenticated VLAN.

Figure 2-20 shows the scenario where the IP phone cannot go online.

Figure 2-20  IP phone cannot go online 


  • Method 1: In V200R003C00 and later versions, you are advised to configure the OUI-based voice VLAN. For details, see (Recommended) Interoperation Between Switches and IP Phones Through the OUI-based Voice VLAN.
  • Method 2: In V200R010 and later versions, MAC address migration can be enabled so that IP phones can be authenticated based on the PVID and voice VLAN ID.
    <HUAWEI> system-view [HUAWEI] authentication mac-move enable vlan 10 100  //Assume that the PVID of the interface is VLAN 10 and the voice VLAN ID is VLAN 100. 
  • Method 3: Configure the blacklist so that the switch discards the packets that come from the IP phone and are forwarded based on the PVID. In this case, the authenticated VLAN and voice VLAN of the IP phone are the same.
    1. Configure an ACL rule to match the MAC address of the IP phone and PVID of the interface.
      <HUAWEI> system-view [HUAWEI] acl number 4000 [HUAWEI-acl-L2-4000] rule 5 permit source-mac ac44-f211-df8e vlan-id 1  //Assume that the MAC address of the IP phone is ac44-f211-df8e and the PVID is VLAN 1. [HUAWEI-acl-L2-4000] quit 
    2. Configure an attack defense policy.
      [HUAWEI] cpu-defend policy p1 [HUAWEI-cpu-defend-policy-p1] blacklist 1 acl 4000  //Configure the blacklist. [HUAWEI-cpu-defend-policy-p1] quit 
    3. Apply the attack defense policy globally.
      [HUAWEI] cpu-defend-policy p1 global
  • Method 4: Configure dynamic VLAN authorization. If different interfaces use different voice VLAN IDs, configuring dynamic VLAN authorization cannot prevent the problem. You can configure only the unified mode.
    1. Configure the same user VLAN ID as the voice VLAN ID in the service scheme.
      <HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] service-scheme test  //Create a service scheme named test. [HUAWEI-aaa-service-test] user-vlan 100  //Configure a user VLAN. The user VLAN ID is the voice VLAN ID. [HUAWEI-aaa-service-test] voice-vlan  //Enable the voice VLAN function. [HUAWEI-aaa-service-test] quit 
    2. Apply the service scheme to the default domain.
      [HUAWEI-aaa] domain default [HUAWEI-aaa-domain-default] service-scheme test [HUAWEI-aaa-domain-default] quit [HUAWEI-aaa] quit 
    3. Authorize the voice VLAN through the server. Set the authorization VLAN ID to the voice VLAN ID and set Attribute ID/name to HW-Voice-vlan(33). The Agile Controller is used as an example.

      Choose Policy > Permission Control > Authentication & Authorization > Authorization Result and click Add to create an authorization result.

Cause 4: An IP Phone Is Enabled with 802.1X Authentication and the Switch Is Configured with MAC Address Bypass Authentication. When 802.1X Authentication of the IP Phone Fails, the Switch Does Not Perform MAC Address Authentication. Consequently, the IP Phone Cannot Go Online


  • Method 1: Disable 802.1X authentication on the IP phone.
    1. Disable 802.1X authentication on the Avaya phone:
      1. Press the star key (*), enter the password (27238 by default), and press the pound key (#) to enter the menu.
      2. Select 802.1X, and set values of Supplicant and Pass-thru to disable.
    2. Disable 802.1X authentication on the Cisco phone:

      Choose Security Configuration > 8021X Authentication and set Device Authentication to Disable.

  • Method 2: Configure MAC address-prioritized Portal authentication on the switch interface. Only the common mode supports this configuration.
    <HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass mac-auth-first 

Cause 5: The IP Phone Goes Online and Offline Frequently Because It Does Not Respond to ARP Offline Probe Packets Sent by the Switch

To ensure normal online status of the IP phone, the switch sends ARP offline probe packets with the source IP address of to the IP phone. If the IP phone does not support response to ARP offline probe packets with the source IP address of, the switch considers the IP phone offline and disconnects the IP phone. In this case, the IP phone may go online and offline frequently. Check ARP detect fail.

Run the display aaa offline-record all command to check the cause for logout of the IP phone.

<HUAWEI> display aaa offline-record all  -------------------------------------------------------------------   User name             : test@rds   Domain name           : default   User MAC              : 0021-9746-b67c   User access type      : MAC   User access interface : GigabitEthernet0/0/2   Qinq vlan/User vlan   : 0/1   User IP address       :   User IPV6 address     : -   User ID               : 19   User login time       : 2016/10/01 04:49:39   User offline time     : 2016/10/01 04:59:43   User offline reason   : ARP detect fail   -------------------------------------------------------------------   Are you sure to display some information?(y/n)[y]: 


  • Method 1: Configure the default source IP address of ARP offline detection packets.

    <HUAWEI> system-view [HUAWEI] access-user arp-detect default ip-address  //Configure the default source address of ARP offline probe packets as 
  • Method 2: Configure the source IP address and source MAC address of ARP offline detection packets in the specified VLAN.

    <HUAWEI> system-view [HUAWEI] access-user arp-detect vlan 10 ip-address mac-address 2222-1111-1234  //Configure the source IP address of ARP offline probe packets as and the source MAC address as 2222-1111-1234. 

Cause 6: Customized Options Are Not Configured for a Switch Functioning as the DHCP Server. As a Result, Mitel 5212 Phones Fail to Go Online

When a switch functions as the DHCP server, Option 128, Option 129, Option 130, and Option 131 need to be configured in the address pool of the DHCP server; otherwise, Mitel 5212 phones cannot identify DHCP Offer packets sent by the DHCP server and cannot go online.


Perform the following configurations on the switch and ensure that these fields are included in sent packets:

<HUAWEI> system-view [HUAWEI] ip pool ip-phone [HUAWEI-ip-pool-ip-phone] option 128 ip-address [HUAWEI-ip-pool-ip-phone] option 129 ip-address [HUAWEI-ip-pool-ip-phone] option 130 ascii MITEL IP PHONE [HUAWEI-ip-pool-ip-phone] option 131 ip-address 

See more please click

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits