# Dataforth — Lobby Phone Offline (VLAN/Switch Port Fix) **Date (UTC):** 2026-05-04 **Tech:** Howard Enos **Time onsite:** 0.5 hours **Syncro ticket:** #32246 (`109836123`), invoice #67558 (`1650188916`) ## User - **User:** Howard Enos (howard) - **Machine:** Howard-Home (driving the PBX remotely via Tailscale) - **Role:** tech ## Summary Lobby visitor phone (Cisco SPA502G, ext 201) had been offline — no dial tone, dialing extensions did nothing, displayed an incorrect date/time. Root cause: the lobby drop's switch port had been on the wrong VLAN, isolating the phone from the PBX. Fix was reconfiguring D1-Server-Room port 1 to VLAN 100. Phone immediately TFTP-pulled fresh provisioning and registered. ## Diagnosis path 1. **Phone state:** screen showed normal idle, but no dial tone. Dialing an extension just returned to home screen with no tone, ringback, or error. Wrong date/time on display — strong clue that the phone hadn't reached NTP for a while. 2. **PBX-side check** (driven from Howard-Home over Tailscale via SSH to `192.168.100.2` with vault creds): - `pjsip show endpoint 201` → `Unavailable`, no contact, AOR but no registration. - **Zero traffic from the phone's last known IP `192.168.100.235`** in the last 2 hours of TFTP/SIP logs. - PBX could not ping `.235`; ARP "who-has" requests went unanswered. - SIP secret in `pjsip.auth.conf` for ext 201 matched the secret in the per-MAC TFTP config `spa58bfea1158b4.xml` — so credentials were not the issue. 3. **VLAN test:** Howard plugged his laptop into the same lobby wall jack. Laptop received `192.168.0.53` (Unifi UDM main LAN). Meanwhile, the phone — after a factory reset to clear cached state — landed on `192.168.1.235` via LLDP-MED voice tagging onto Unifi's default voice VLAN (`192.168.1.0/24`). Neither matches the production voice/PBX VLAN, which is `192.168.100.0/24`. 4. **Cable trace:** Howard followed the lobby drop back to the **D1-Server-Room switch, port 1**. That port was not configured for VLAN 100. ## Network topology learned | Subnet | Used for | |---|---| | `192.168.0.0/24` | Unifi main LAN (UDM is at `192.168.0.254`) | | `192.168.1.0/24` | Unifi default voice VLAN (LLDP-MED) — NOT used for production phones in this office | | `192.168.6.0/24` | OpenVPN management range (per UDM config) | | `192.168.100.0/24` | **Production voice/PBX VLAN** — PBX on `.196` (and `.2` aliased), all production phones | | `10.208.107.116/30` | PBX `ens224` secondary interface | Working office phones live on `192.168.100.x` directly. The Unifi-default voice VLAN (`192.168.1.x`) is not wired to anything that can reach the PBX. ## Fix Reconfigured **D1-Server-Room port 1** to VLAN 100. After replug: - Phone DHCP'd `192.168.100.235`. - TFTP fetched `/spa502G.cfg` (12:29:40 PDT) and per-MAC `/spa58bfea1158b4.xml` (12:30:40 PDT). - SIP REGISTER → 401 Unauthorized → REGISTER (auth) → 200 OK at 12:31:42 PDT. - `pjsip show endpoint 201` → `In use`, contact `201/sip:201@192.168.100.235:5060` Avail, RTT 22ms. - NTP sync brought date/time current. ## Recommendation for Mike / Dataforth IT - **Audit other Unifi-managed switch ports** for voice drops to ensure they all stay tagged on VLAN 100. A port that reverts to defaults will silently isolate any phone plugged into it (untagged main LAN for laptops, LLDP-MED voice tag onto `192.168.1.x` for phones — neither reaches the PBX). The wrong date/time is the canary; check that on phones that have been complained about. - **D1-Server-Room port 1** should stay tagged on VLAN 100. If config drifts, the lobby phone goes silent again. ## Tools / accounts touched - SSH to PBX (`sangoma@192.168.100.2`) via Tailscale + paramiko (vault creds). - No production config changes on the PBX itself (read-only diagnostics there). - Switch port config change: D1-Server-Room port 1 → VLAN 100 (changed from whatever it was before — not captured; assumed default Unifi profile). ## Tools `not` touched - UDM controller (`192.168.0.254`) — has 2FA push enabled and was not accessed during this work. The switch port change was made by Howard via direct switch access. ## Artifacts - TFTP config file confirmed correct: `/tftpboot/spa58bfea1158b4.xml` on PBX (mtime 2026-04-23 — was already current; no FreePBX-side change needed). - pjsip auth password matches XML password (md5 hash form `4b57418f0a921fbce9d1bee10b6084e5`).