Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 6830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED keepalive options for VOIP?

Krister Johnson

 

We recently moved our HQ and satellite offices to XG firewall and RED devices, respectively. Things are going swimmingly, except for VOIP traffic. VOIP calls from HQ to remote or from remote to HQ last exactly two minutes and then are dropped. I do not see anything in XG logs (IPS or otherwise) when this happens. Could there be a VPN keepalive option that I need to enable?



This thread was automatically locked due to age.
Parents
  • +1

    Go to the CLI.  (ssh to the XG).   From the menu choose option #4 Console. 

    from the cli do a : show advanced-firewall.  Check out the UDP TimeOut Stream to see if it matches your 2-3 minute time out.

     

    To change it (recommend 150  second time out for voip )  do a : set advanced-firewall udp-timeout-stream 150

     

    You may also want to disable the sip helper  perhaps... :

    system system_modules sip unload  (or load to put it back in)

     

    -Scott

  • +1 in reply to Scott_D_L

    Also one last thing in case it helps you or others as well.  We have a  Cisco Phone System. We had issues with remote voice gateways(other locations) taking in coming calls(calls register at Cisco CUCM at HQ)  We had to put in firewall bypass rules in so the XG would not try to inspect the process and interfere will call setup.  That can be done by:

     set advanced-firewall  bypass-stateful-firewall-config source_net/host X.X.X.X (HQ Voice Network tpyically) source_mask X.X.X.X  destination_net/host  X.X.X.X  (Remote  Voice Network, etc.) destination_mask X.X.X.X

    then create another rule for traffic from the opposite direction.

     

    That's what worked for us for that issue.  In your case I think just setting the udp timeout will give you what you need.

     

    -Scott

     

  • 0 in reply to Scott_D_L

    Scott,

     

    UDP timeout was set to 60, so I (surprisingly) don't think that was it. However, either unloading the sip helper or creating those bypass rules seems to have totally solved the problem. Just talked for 10 minutes with no disconnection. I did up that timeout value, though, just for good measure. THANKS!

Reply
  • 0 in reply to Scott_D_L

    Scott,

     

    UDP timeout was set to 60, so I (surprisingly) don't think that was it. However, either unloading the sip helper or creating those bypass rules seems to have totally solved the problem. Just talked for 10 minutes with no disconnection. I did up that timeout value, though, just for good measure. THANKS!

Children
No Data