Session work 2026-05-04: Grabb Leap calendar fix, Dataforth lobby phone VLAN, IMC printer + VPN
- Grabb & Durando: investigated and resolved Svetlana Larionova's Leap-to-M365 calendar OAuth consent issue (Graph-side report + session log). Syncro #32245. - Dataforth: lobby phone (ext 201) was offline due to D1-Server-Room port 1 being on the wrong VLAN; reconfigured to VLAN 100, phone re-provisioned and registered. Session log + PROJECT_STATE update. Syncro #32246. - Instrumental Music Center: Station 2 receipt printer reconnect + VPN install on Manda's machine. Syncro #32247. - Memory: generalized the Syncro blank-contact rule (was Cascades-only) and added the labor-type rule (never use "Prepaid project labor") per Winter's 2026-05-04 corrections. - Gitignored `.claude/tmp/` so per-session helper scripts don't sneak in. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,68 @@
|
||||
# Dataforth — Lobby Phone Offline (VLAN/Switch Port Fix)
|
||||
|
||||
**Date (UTC):** 2026-05-04
|
||||
**Tech:** Howard Enos
|
||||
**Time onsite:** 0.5 hours
|
||||
**Syncro ticket:** #32246 (`109836123`), invoice #67558 (`1650188916`)
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home (driving the PBX remotely via Tailscale)
|
||||
- **Role:** tech
|
||||
|
||||
## Summary
|
||||
|
||||
Lobby visitor phone (Cisco SPA502G, ext 201) had been offline — no dial tone, dialing extensions did nothing, displayed an incorrect date/time. Root cause: the lobby drop's switch port had been on the wrong VLAN, isolating the phone from the PBX. Fix was reconfiguring D1-Server-Room port 1 to VLAN 100. Phone immediately TFTP-pulled fresh provisioning and registered.
|
||||
|
||||
## Diagnosis path
|
||||
|
||||
1. **Phone state:** screen showed normal idle, but no dial tone. Dialing an extension just returned to home screen with no tone, ringback, or error. Wrong date/time on display — strong clue that the phone hadn't reached NTP for a while.
|
||||
2. **PBX-side check** (driven from Howard-Home over Tailscale via SSH to `192.168.100.2` with vault creds):
|
||||
- `pjsip show endpoint 201` → `Unavailable`, no contact, AOR but no registration.
|
||||
- **Zero traffic from the phone's last known IP `192.168.100.235`** in the last 2 hours of TFTP/SIP logs.
|
||||
- PBX could not ping `.235`; ARP "who-has" requests went unanswered.
|
||||
- SIP secret in `pjsip.auth.conf` for ext 201 matched the secret in the per-MAC TFTP config `spa58bfea1158b4.xml` — so credentials were not the issue.
|
||||
3. **VLAN test:** Howard plugged his laptop into the same lobby wall jack. Laptop received `192.168.0.53` (Unifi UDM main LAN). Meanwhile, the phone — after a factory reset to clear cached state — landed on `192.168.1.235` via LLDP-MED voice tagging onto Unifi's default voice VLAN (`192.168.1.0/24`). Neither matches the production voice/PBX VLAN, which is `192.168.100.0/24`.
|
||||
4. **Cable trace:** Howard followed the lobby drop back to the **D1-Server-Room switch, port 1**. That port was not configured for VLAN 100.
|
||||
|
||||
## Network topology learned
|
||||
|
||||
| Subnet | Used for |
|
||||
|---|---|
|
||||
| `192.168.0.0/24` | Unifi main LAN (UDM is at `192.168.0.254`) |
|
||||
| `192.168.1.0/24` | Unifi default voice VLAN (LLDP-MED) — NOT used for production phones in this office |
|
||||
| `192.168.6.0/24` | OpenVPN management range (per UDM config) |
|
||||
| `192.168.100.0/24` | **Production voice/PBX VLAN** — PBX on `.196` (and `.2` aliased), all production phones |
|
||||
| `10.208.107.116/30` | PBX `ens224` secondary interface |
|
||||
|
||||
Working office phones live on `192.168.100.x` directly. The Unifi-default voice VLAN (`192.168.1.x`) is not wired to anything that can reach the PBX.
|
||||
|
||||
## Fix
|
||||
|
||||
Reconfigured **D1-Server-Room port 1** to VLAN 100. After replug:
|
||||
|
||||
- Phone DHCP'd `192.168.100.235`.
|
||||
- TFTP fetched `/spa502G.cfg` (12:29:40 PDT) and per-MAC `/spa58bfea1158b4.xml` (12:30:40 PDT).
|
||||
- SIP REGISTER → 401 Unauthorized → REGISTER (auth) → 200 OK at 12:31:42 PDT.
|
||||
- `pjsip show endpoint 201` → `In use`, contact `201/sip:201@192.168.100.235:5060` Avail, RTT 22ms.
|
||||
- NTP sync brought date/time current.
|
||||
|
||||
## Recommendation for Mike / Dataforth IT
|
||||
|
||||
- **Audit other Unifi-managed switch ports** for voice drops to ensure they all stay tagged on VLAN 100. A port that reverts to defaults will silently isolate any phone plugged into it (untagged main LAN for laptops, LLDP-MED voice tag onto `192.168.1.x` for phones — neither reaches the PBX). The wrong date/time is the canary; check that on phones that have been complained about.
|
||||
- **D1-Server-Room port 1** should stay tagged on VLAN 100. If config drifts, the lobby phone goes silent again.
|
||||
|
||||
## Tools / accounts touched
|
||||
|
||||
- SSH to PBX (`sangoma@192.168.100.2`) via Tailscale + paramiko (vault creds).
|
||||
- No production config changes on the PBX itself (read-only diagnostics there).
|
||||
- Switch port config change: D1-Server-Room port 1 → VLAN 100 (changed from whatever it was before — not captured; assumed default Unifi profile).
|
||||
|
||||
## Tools `not` touched
|
||||
|
||||
- UDM controller (`192.168.0.254`) — has 2FA push enabled and was not accessed during this work. The switch port change was made by Howard via direct switch access.
|
||||
|
||||
## Artifacts
|
||||
|
||||
- TFTP config file confirmed correct: `/tftpboot/spa58bfea1158b4.xml` on PBX (mtime 2026-04-23 — was already current; no FreePBX-side change needed).
|
||||
- pjsip auth password matches XML password (md5 hash form `4b57418f0a921fbce9d1bee10b6084e5`).
|
||||
Reference in New Issue
Block a user