MikroTik

We have deployed a new phone system using wired Cisco 7941 phones and Wireless 7921G phones.
We have the wired phones running on a VLAN on top of our normal LAN.
We have HP switches which give priority to the VLAN traffic.
The wireless network has two SSID's one for the PC's and one for phones.
The AP's have a bridge for each.
PC bridge from LAN to PC Wireless
Phone bridge from VLAN to Phone Wireless.

I can ping a wireless phone all day long with no dropouts.
When I try to make a call with a wireless phone after a few seconds the audio to the wireless handset cuts out.

If I do a packet capture in the AP router, listing to the VLAN interface I see packets going back and forth all the way through the conversation, but if I capture listening to the Wireless interface I see two way packets up to the point where the audio drops out and then just one way packets after that.

BTW, the above ping also stops working when a call gets underway.

We have deployed a new phone system using wired Cisco 7941 phones and Wireless 7921G phones.
We have the wired phones running on a VLAN on top of our normal LAN.
We have HP switches which give priority to the VLAN traffic.
The wireless network has two SSID's one for the PC's and one for phones.
The AP's have a bridge for each.
PC bridge from LAN to PC Wireless
Phone bridge from VLAN to Phone Wireless.

I can ping a wireless phone all day long with no dropouts.
When I try to make a call with a wireless phone after a few seconds the audio to the wireless handset cuts out.

If I do a packet capture in the AP router, listing to the VLAN interface I see packets going back and forth all the way through the conversation, but if I capture listening to the Wireless interface I see two way packets up to the point where the audio drops out and then just one way packets after that.

BTW, the above ping also stops working when a call gets underway.

Have you done any bypass troubleshootig yet to make sure the wireless phones work properly without the Mikrotik?

Have you done any bypass troubleshootig yet to make sure the wireless phones work properly without the Mikrotik?

Should be testing that tomorrow on a Cisco Wireless AP. I'll let you know.

Have you done any bypass troubleshootig yet to make sure the wireless phones work properly without the Mikrotik?

Should be testing that tomorrow on a Cisco Wireless AP. I'll let you know.

Have now tried it on a few networks.
Our phone system provider tried it in their office on a Cisco and it works.
I tried it on my home Mikrotik, (no VLANS) and it drops out.
I tried it on my 3G CellPhone (Samsung Nexus S, Android Ice Cream) WiFi Hotspot and it works beautifully.

So it's really looking like the Mikrotik is the common piece when it drops out.

Since my home setup is a little less complicated than work I tried to configure a different SSID just for the phone, so I could get rid of the Bridge between the wireless interface and my LAN.

I setup a separate IP subnet on the new wireless interface with a DHCP server and NAT rules to let it route directly out to the Internet bypassing my LAN.

The phone registers with the call manager OK but as soon as the call begins the audio drops out within a few seconds.
The person I am calling can hear me for the duration of the call and the call hangs up as soon as I press then end button,
I just can't hear anything on the Cisco Wireless handset past the first few seconds.

Turn off the SIP Helper in Mikrotik.

IP -> FIREWALL -> SERVICE PORTS
DISABLE SIP

Please let us know the results after you do that.

Turn off the SIP Helper in Mikrotik.

IP -> FIREWALL -> SERVICE PORTS
DISABLE SIP

Please let us know the results after you do that.

No change.

You say that the pings stop working with the voice stops.

Do you have any filter rules in your firewall or bridge? If so, export them here.

I have also disabled the Bandwidth Test Server in case port 2000 conflicts with SCCP Skinny Protocol.

You say that the pings stop working with the voice stops.

Do you have any filter rules in your firewall or bridge? If so, export them here.

I've tried rules that log things, but right now no rules at all.
Pass through IP Firewall also turned off.

but right now no rules at all.

In the bridge anyway, I'll get the IP firewall rules and export them.

You say that the pings stop working with the voice stops.

Do you have any filter rules in your firewall or bridge? If so, export them here.

I've tried rules that log things, but right now no rules at all.
Pass through IP Firewall also turned off.

Even if the voice cuts out, there is no reason the pings should stop working. How do you "fix" it? Do the pings start working at call termination? Do you have to reboot Mikrotik, phone, or unplug the network?

what Mikrotik hardware and version are you using?

[admin@BEVHOME] /ip firewall filter> export
# apr/24/2012 06:31:47 by RouterOS 5.7
#
/ip firewall filter
add action=log chain=forward disabled=yes log-prefix="BIt Torrent" p2p=all-p2p
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers to local router addreess where src-address!=safe-ips" disabled=no dst-address-type=local dst-port=\
22 protocol=tcp src-address-list=!safe-ips
add action=drop chain=forward comment="drop ssh, rdp, webmin - to local server addreess where src-address!=safe-ips" disabled=no dst-address=10.2.47.0/24 \
dst-port=22,3389,10000,80,2812,1024 protocol=tcp src-address-list=!safe-ips
add action=add-src-to-address-list address-list=temp1 address-list-timeout=30s chain=input comment="Knock on port 123 - add to temp1" disabled=no dst-port=\
123 protocol=tcp
add action=add-src-to-address-list address-list=temp2 address-list-timeout=30s chain=input comment="Knock on port 456 - add to temp2" disabled=no dst-port=456 \
protocol=tcp src-address-list=temp1
add action=add-src-to-address-list address-list=safe-ips address-list-timeout=1w chain=input comment="Add to safe-ips list for 7 days - Port knocking access" \
disabled=no dst-port=789 protocol=tcp src-address-list=temp2
[admin@BEVHOME] /ip firewall filter>

Is the Mikrotik the wireless access point for the wireless phones, or do you have a separate wireless access point?

If it is the Mikrotik that has wireless radio, look at the wireless hardware settings (HW Retries, quality, tx/rx power, etc)

Even if the voice cuts out, there is no reason the pings should stop working. How do you "fix" it? Do the pings start working at call termination? Do you have to reboot Mikrotik, phone, or unplug the network?

What a great question, I just tried it and something amazing happened.

64 bytes from 192.168.139.254: icmp_seq=28 ttl=63 time=534 ms
64 bytes from 192.168.139.254: icmp_seq=29 ttl=63 time=556 ms
64 bytes from 192.168.139.254: icmp_seq=30 ttl=63 time=576 ms
64 bytes from 192.168.139.254: icmp_seq=31 ttl=63 time=571 ms
64 bytes from 192.168.139.254: icmp_seq=32 ttl=63 time=590 ms
64 bytes from 192.168.139.254: icmp_seq=33 ttl=63 time=610 ms
64 bytes from 192.168.139.254: icmp_seq=34 ttl=63 time=630 ms
64 bytes from 192.168.139.254: icmp_seq=35 ttl=63 time=657 ms
64 bytes from 192.168.139.254: icmp_seq=36 ttl=63 time=662 ms
64 bytes from 192.168.139.254: icmp_seq=37 ttl=63 time=4.34 ms
64 bytes from 192.168.139.254: icmp_seq=38 ttl=63 time=5.52 ms
64 bytes from 192.168.139.254: icmp_seq=39 ttl=63 time=16655 ms
64 bytes from 192.168.139.254: icmp_seq=40 ttl=63 time=15658 ms
64 bytes from 192.168.139.254: icmp_seq=41 ttl=63 time=14661 ms
64 bytes from 192.168.139.254: icmp_seq=42 ttl=63 time=13664 ms
64 bytes from 192.168.139.254: icmp_seq=43 ttl=63 time=12664 ms
64 bytes from 192.168.139.254: icmp_seq=44 ttl=63 time=11666 ms
64 bytes from 192.168.139.254: icmp_seq=45 ttl=63 time=10667 ms
64 bytes from 192.168.139.254: icmp_seq=47 ttl=63 time=8670 ms
64 bytes from 192.168.139.254: icmp_seq=49 ttl=63 time=6671 ms
64 bytes from 192.168.139.254: icmp_seq=50 ttl=63 time=5673 ms
64 bytes from 192.168.139.254: icmp_seq=51 ttl=63 time=4686 ms
64 bytes from 192.168.139.254: icmp_seq=52 ttl=63 time=3686 ms
64 bytes from 192.168.139.254: icmp_seq=53 ttl=63 time=2687 ms
64 bytes from 192.168.139.254: icmp_seq=54 ttl=63 time=1694 ms
64 bytes from 192.168.139.254: icmp_seq=55 ttl=63 time=695 ms
64 bytes from 192.168.139.254: icmp_seq=56 ttl=63 time=4.35 ms
64 bytes from 192.168.139.254: icmp_seq=57 ttl=63 time=4.17 ms
64 bytes from 192.168.139.254: icmp_seq=58 ttl=63 time=501 ms
64 bytes from 192.168.139.254: icmp_seq=59 ttl=63 time=524 ms
64 bytes from 192.168.139.254: icmp_seq=60 ttl=63 time=547 ms
64 bytes from 192.168.139.254: icmp_seq=61 ttl=63 time=570 ms
64 bytes from 192.168.139.254: icmp_seq=62 ttl=63 time=618 ms
^C
--- 192.168.139.254 ping statistics ---
62 packets transmitted, 60 received, 3% packet loss, time 61977ms
rtt min/avg/max/mdev = 4.170/2508.759/16655.251/4408.761 ms, pipe 17

The call was answered during ping sequence 38, and lasted for 16 seconds. As soon as I pressed the end key, all the pings came through

what Mikrotik hardware and version are you using?

I have RouterOS 5.7 on RB751U-2HnD at home.
At work the same router for the AP's and I was using 5.5 when I first noticed the problem and I upgraded one to 5.7.
At work we also have a RB750 which is the gateway between our LAN, VLAN and WAN

Is the Mikrotik the wireless access point for the wireless phones, or do you have a separate wireless access point?

If it is the Mikrotik that has wireless radio, look at the wireless hardware settings (HW Retries, quality, tx/rx power, etc)

I have looked at this and tried to change anything I though might have any effect.

Is the Mikrotik the wireless access point for the wireless phones, or do you have a separate wireless access point?

If it is the Mikrotik that has wireless radio, look at the wireless hardware settings (HW Retries, quality, tx/rx power, etc)

I have looked at this and tried to change anything I though might have any effect.

Try connecting a laptop to wireless, same speed as phones, and do a bit of internet surfing and see if you can get the mikrotik to lockup. This really sounds like a mikrotik hardware problem at this point.

One last thing to try is upgrade to 5.15 and then upgrade the routerboard firmware to the newest as well.

/interface wireless security-profiles
set default authentication-types=wpa2-psk group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=disabled \
management-protection-key="" mode=dynamic-keys name=default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none \
static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=Q1702 tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
somthingsimple wpa2-pre-shared-key=somethingsimple
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g basic-rates-a/g=6Mbps basic-rates-b=\
1Mbps bridge-mode=enabled channel-width=20mhz compression=no country=no_country_set default-ap-tx-limit=0 default-authentication=yes \
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=no disconnect-timeout=3s distance=dynamic frame-lifetime=\
0 frequency=2462 frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any ht-rxchains=0 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-\
6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0 \
hw-fragmentation-threshold=disabled hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=00:0C:42:D4:A7:FC \
max-station-count=2007 mode=ap-bridge mtu=1500 name=wlan1 noise-floor-threshold=default nv2-cell-radius=30 nv2-noise-floor-offset=default \
nv2-preshared-key="" nv2-qos=default nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms periodic-calibration=default \
periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=000C42D4A7FC rate-selection=legacy rate-set=default \
scan-list=default security-profile=default ssid=beveridge station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wireless-protocol=\
802.11 wmm-support=disabled
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes \
disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=02:0C:42:D4:A7:FC master-interface=wlan1 max-station-count=2007 mtu=1500 name=\
wlan2 proprietary-extensions=post-2.9.25 security-profile=default ssid=bever update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none \
wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:17,HT20\
-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,HT40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-7:17"
set wlan2
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
set "(unknown)"
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 receive-all=\
no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

Just tried the same Handset at another site.
This site has a Billion BiPAC 7404VGO Wireless ADSL Modem Router with active VoIP Ports.

The phone works just fine here, without a Mikrotik.

Did you try upgrading os+fw?

Have just changed the Authentication from WPA2 to WPA and it appears we might have a solution.
More testing to be done.

Actually sometime the problem still occurs with WPA.
Switching authentication to none works.

More testing has revealed that it actually has nothing to do with authentication.
Actually changing the auth mode makes it appear like its working because, it actually works when the phone is newly connected to the wireless. Changing the auth mode disconnects and reconnects the wireless association, so therefore it works for a short time.

A two phone call of about 30 seconds is possible if the phone is just newly associated with the access point. After this time, audio is heard on new calls for only about two seconds like before.

So back to square 1.

Did you try upgrading os+fw?

Yes, Currently running 5.15 os and 2.38 fw

Dang, I hoped you had a good workaround. I think that either the card in the 751 is incompatible with the phones, or is defective.

Or, try this... use the other brand access point that you know works. Then, with your 751, make a bridge between two of the ethernet ports (bridge, not switch). This would force all the data to go through the mikrotik's system, but would bypass the mikrotik wireless radios.

If this also fails, it is a problem with the Mikrotik software. If this does not fail, then it is a problem with the Mikrotik radio hardware.

Next step in troubleshooting would be to try a different mikrotik radio card, if you have a different mikrotik router+card available. This would tell you if it is the radio that is bad/incompatible, or if it is the mikrotik operating system itself.

Or, try this... use the other brand access point that you know works. Then, with your 751, make a bridge between two of the ethernet ports (bridge, not switch). This would force all the data to go through the mikrotik's system, but would bypass the mikrotik wireless radios.

So to be clear, this is what I did.
I have a TP-LINK WA701N Wireless Access Point. cost me $40 from the local PC store.
I got it working through my ethernet switch on my LAN.
Logged into winbox and went to interfaces and select ether5 and change the master port setting from ether2-master-inside to none.
Then I goto bridge1 ports which currently has wlan1 and ether2-master-inside in it and add ether5
Then I plug the TPlink into ether 5. and wait for my phone to reconnect to the call manager.
I ring my voice mail and listen to messages for 2 minutes.
I type up this response and repeat to the call to be sure it still works. It does.

In addition, please note that all the Wired Desk phones are routed through a miktotik device and have not such problems.
This is also true of wired phones that are bridged through a 751.
The wired desk phone at the back of the warehouse at work goes through all this...

WAN,
751G Router,
HP Procurve 2910al-24G-PoE Switch,
HP Procurve 2910al-48G-PoE Switch,
751U-2HnD Wired Bridge,
751U-2HnD Wired Bridge.

And that works ok, it just a problem if it's wireless to the Mikrotik,
I'm not using the Switches in the 751U's because I couldn't figure out how to bridge the voice VLAN to the phone SSID in the switch, so I used a bridge.
This might be possible, I just couldn't get my head around it, and it seems to work fine in Bridge mode.

You have narrowed it down to the 751 radio. Either defective or incompatible with the phones.

All you can do is try another mikrotik with a different card (lke r52 or r52n or something) and see if it works. If so, you have your problem.

bevhost

The same problem with Cisco 7921 IP phone and Mikrotik 751G.

Have you tried AES encrypt instead of TKIP?

Did anyone ever figure this out? I'm experiencing the exact same issue with the same equipment. Voice works for a few seconds and then dies.

Have you tried AES encrypt instead of TKIP?

Look at his config above. He is already using AES.

I still believe that the mikrotik radios are simply incompatible with the phones' radios.... for whatever reason.