Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 5680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

clearing NAT for voip sip after dual wan failover

onward

On prior Cisco equipment with dual wan when redirecting or failing over our voip traffic from one isp to another it's been necessary to clear the associated network address translations (NAT) using the command below either manually or through eem triggers.  Sip registrations and voice traffic would typically fail for a period of time until the nat expires or the command runs.  Is there an equivalent to this on XG210_WP03_SFOS 17.5.0 GA# as an example?

 

#clear ip nat translation ?
  *                   Delete all dynamic translations
  esp                 Encapsulating Security Payload
  forced              Delete all dynamic translations (forcefully)
  inside              Inside addresses (and ports)
  outside             Outside addresses (and ports)
  piggyback-internal  Delete all dynamic translations created off of piggyback-data
  tcp                 Transmission Control Protocol
  udp                 User Datagram Protocol
  vrf                 Clear entries of VRF instance



This thread was automatically locked due to age.
  • +2

    Hi momentum,

     

    This can be accomplished in the web UI, under "WAN Link Manager".

    You will need to have setup 2 gateways (obviously), with 1 set as "backup".  Once the option of "backup" is selected, more menu items will appear.  See screenshot below:

    The important thing here is that you set in your firewall rules "WAN link load balance" as your primary gateway.

     

    Thanks!

  • 0 in reply to KingChris

    The process for configuration of failover with multiple wan connections and active/backup usage is understood but is there an sfos equivalent for just clearing nat translations?

  • +2 in reply to onward

    For just clearing the NAT translations, there is no option currently.

    You can use the "advance console" and run a conntrack deletion command if you know the NAT'ted IP connections you want to delete.  Also there is no way to schedule this or set it as an action and will have to be manually run at the time.

    Command that can be run is:  conntrack -D -n <NAT IP address>  This will delete all connections that are being NAT'ted to a specific IP address.

    The best way to make sure all WAN bound connections terminate is using the "WAN Link Manager".

  • 0 in reply to KingChris

    Any new developments in the area of auto-flushing network address translations (NAT) for voip/sip traffic as of SFOS 18.0.1 MR-1-Build396?  I don't know if it's become more of a problem or the same following 17.x >> 18.x updates but it's apparent that for Yealink + Aastra voip phones behind an 18.x XG with dual wan when the original isp traffic to our external voip provider is routed to via firewall rule goes down and then comes back up, it's necessary to clear nat (currently via "conntrack -F" which is overkill).  If that is not done trouble reports of outside callers not hearing audio from the employee end of the conversation continue for hours after failover.   The exact duration the problem would persist for without intervention is unknown because it has to be fixed when reported rather than tested.  

  • +1 in reply to onward

    If you have not reported a bug or a feature, then there will be no way for this to be included.

    You obviously have some issues with the timeout values of the UDP settings.  However my previous comment of using the backup option within the multi WAN gateway still applies.

    When the backup gateway fails back when the primary/active gateway comes alive, ALL sessions are killed and served through the new gateway.

    If your VOIP provider is still trying to reach the old IP address and its not reachable, and is refusing authentication requests from the new gateway IP, then that is something the VOIP provider will need to address.

    Alternatively, if you still think the issue lies with the XG, please open a support request so that this can be investigated.  If this does turn out to be a feature request, I would suggest you log it on https://ideas.sophos.com.

    Thanks.

  • 0 in reply to KingChris

    Revisiting your points about Backup wan link settings in the most recent example below I can see we need to change it from "Serve new connections through restored gateway" to "Serve all connections through restored gateway".   This is probably the fix.  Thanks

    wan link manager:
    port2 wan isp1 - Type: Active
    port4 wan isp2 - Type: Backup (now set to "Serve all connections through restored gateway")

    sd-wan policy routing for default lan>wan traffic firewall rule =
    primary = isp1
    backup = isp2

    sd-wan policy routing on firewall rule for lan-wan traffic to voip provider's network:
    primary = isp2
    backup = isp1

  • 0 in reply to onward

    same problem came up again at the same location following brief packet loss or connectivity failure on isp2 so "Serve all connections through restored gateway" didn't fix it.  Users on site reported loss of dial tone and inability to make or receive calls indefinitely until the conntrack -F.  I'm leaving voice traffic on isp1 and failover disabled for now until it can be investigated further.

    XG115w_XN02_SFOS 18.0.1 MR-1-Build396#

    console> system system_modules show
    pptp    loaded
    h323    loaded
    tftp    loaded
    irc     loaded
    sip     loaded
    dns     loaded

    console> show advanced-firewall
            Strict Policy                           : on
            FtpBounce Prevention                    : control
            Tcp Conn. Establishment Idle Timeout    : 10800
            UDP Timeout                             :
            UDP Timeout Stream                      : 60
            Fragmented Traffic Policy               : allow
            Midstream Connection Pickup             : off
            TCP Seq Checking                        : on
            TCP Window Scaling                      : on
            TCP Appropriate Byte Count              : off
            TCP Selective Acknowledgements          : on
            TCP Forward RTO-Recovery[F-RTO]         : off
            TCP TIMESTAMPS                          : off
            Strict ICMP Tracking                    : off
            ICMP Error Message                      : allow
            IPv6 Unknown Extension Header           : deny

    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            enable_appsignatures on
            http_response_scan_limit  65535
            search_method hyperscan
            sip_preproc enabled
            sip_ignore_call_channel enabled
            inspect untrusted-content