This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VOIP phones randomly not ringing / UDP timeouts?

Firewall: XG210 17.5 MR7

SIP ALG helper: has been off ever since deployment (6 months ago) because we were having problems registering phones with it turned on (default)

Users: 30

Bandwidth graph: DL / UL never even over 10% of our total ISP bandwidth. We have a single ISP onsite.

Memory/CPU: Never even over 20%/5%

VLAN setup: one vlan for computers, one for voice. Computers piggyback off phones.

Issue: Recently, a few weeks ago, some phones refused to ring when they should. It got progressively worse this week.

Our voip provider Zultys showed me some logs from their end that showed that suddenly, UDP packets sent to keep each phones connection alive started dropping bad at 1:46pm yesterday (Wed 4/1) at about the same time a user reported her phone should have rang but didn't. She knew because the incoming call showed on her Desktop app, and other people got the ring in the same hunt group. It seems that the XG is shedding those connections in NAT table OR the firewall is somehow dropping the packets but I can't see anything in the Log Viewer.

I rebooted firewall and all network switches, and after that I increased the UDP timeout value from 60 to the Sophos recommended value of 150 on Tuesday, a day before the above example. I didn't reboot fw after changing that value, but don't think thats required. Support at Zultys says they still see the issues in their logs. Is it possible 150 is not enough? I saw 8x8 recommended as high as 660 which seems insanely high.

Zultys is planning to change their control communication to TCP from UDP today in 30 minutes so hopefully that helps, but I still want to know what's happening.

I have a Sophos ticket open ticket# 9802042

Edit:

Here is what the providers logs show:

Apr 01 13:48:39:298 - 2 - {0xb77ad740} [307891.547] [sip_app] <warning> Task:863.34> SIP OPTIONS retransmission timeout. peer_addr: OUR_PUBLIC_IP:5059 contact: sip:PHONE_MAC_ADDR1@10.10.30.29:5060 socket: 53 transport: UDP

Apr 01 13:48:39:342 - 2 - {0xb77ad740} [307891.591] [sip_app] <warning> Task:840.34> SIP OPTIONS retransmission timeout. peer_addr: OUR_PUBLIC_IP:5040 contact: sip:PHONE_MAC_ADDR2@10.10.30.15:5060 socket: 53 transport: UDP

Apr 01 13:48:39:342 - 2 - {0xb77ad740} [307891.591] [sip_app] <warning> Task:865.34> SIP OPTIONS retransmission timeout. peer_addr: OUR_PUBLIC_IP:5061 contact: sip:PHONE_MAC_ADDR3@10.10.30.25:5060 socket: 53 transport: UDP

During that timeframe, I have no errors in Sophos log viewer firewall, IPS sections. Could there be something I'm missing at a console level?

This thread was automatically locked due to age.

Parents

0 FormerMember over 5 years ago

Hi apalm123

Do you have IPsec site to site VPN configured on the firewall? If the IPsec tunnels are not stable, when tunnel comes up it may flush UDP connections.

Please run this command from the console : set vpn conn-remove-tunnel-up disable

To re-enable this option use this command : set vpn conn-remove-tunnel-up enable

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 ken9000 over 5 years ago in reply to FormerMember

What are the potential long-term consequences of disabling this?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ken9000 over 5 years ago in reply to FormerMember

What are the potential long-term consequences of disabling this?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data