Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3487 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VoIP RTP stream not always working

Len

Hi Sophos community!

Occasionally I have an issue with my ATA where there is no audio for either party.  This happens infrequently (maybe 1 out of a 100 calls) but I need to keep my wife happy Slight smile

Here are all the details:

  • Sophos XG SFOS 18.0.4 MR-4
  • I have tried disabling 'SIP module' and 'H.323 helper'.  There seems to have been an improvement since doing this.  I've also increased the UDP timeout to 150s, though that will not help for this issue.
  • I've configured an outbound rule for the ATA to give this traffic priority, but it shares a NAT rule with all other devices.  I'm not blocking any ports.  I tried configuring a DNAT rule to forward SIP/RTP traffic to the ATA, but this didn't help.  Perhaps it should have its own NAT rule?
  • The issue occurs if the call is inbound or outbound.
  • ATA is a Cisco SPA122.  I've configured it per SIP provider's instructions.  RTP port range is 10000-19999.
  • SIP provider is Call Centric

One possibility may be that a subsequent call is made or received within the UDP timeout period and the ATA picks the same port for RTP?  It's also possible that the RTP stream comes from different servers.  If the NAT is holding a port open between a LAN device and a (WAN facing) server, would this mean that inbound traffic could only come from the same server (to the given LAN device) within the timeout window?  Maybe a longer UDP time out is not helping?

Another possible option is to let RTP use ports 10000 to 65535, though I think it's a very small chance that the ATA would consecutively pick the same port given the range of 10000.

I appreciate any help.

Thanks!



Edited TAGs
[edited by: emmosophos at 7:06 PM (GMT -7) on 7 Jun 2021]
Parents
  • 0

    Hi,

    please post your ATA access rule. For a home user you should not need to disable the helpers. Are you using Application control? You will not need a specific NAT, but maybe QOS, depends on your link speed.

    Does your rule have SIP service and I had to add ICMP to keep VoIP service happy.

    Ian

Reply
  • 0

    Hi,

    please post your ATA access rule. For a home user you should not need to disable the helpers. Are you using Application control? You will not need a specific NAT, but maybe QOS, depends on your link speed.

    Does your rule have SIP service and I had to add ICMP to keep VoIP service happy.

    Ian

Children
  • 0 in reply to rfcat_vk

    Hi Ian,

    Here's my rule for the ATA:

    This is the first rule in my list.

    Thanks for your help.

    Len

  • 0 in reply to Len

    Hi Len,

    here is my VoIP firewall rule for comparison. I have the QOS as part of the application policy.

    My IPS is tuned for blocking VPNs etc

    Ian

  • 0 in reply to rfcat_vk

    Thanks for that Ian.  Do you mind me asking a couple questions about your setup?

    • What are you using for your ATA/SIP phone?
    • What is your RTP port range?
    • Are you using any DNAT rules for VoIP?
    • In Sophos, do you have the SIP module and H.323 helper enabled?  Did you adjust the UDP timeout from default?
    • I'm assuming you have your VoIP equipment on a separate network, based on your rule.  I have all my internet devices on one network and use MAC addresses to identify in the rules.  I could try creating a separate network for my ATA in case Sophos messes up occasionally with MAC based rules.

    Appreciate your input.

    Len

  • 0 in reply to Len

    Hi,

    my current ATAs are the Telstra supplied NBN device which I only use the phone part and Linksys SPA3102. I used to run a third one using a Cisco ATA but when I had to downgrade to one ISP I cancelled that service.

    I don't have any  RTP range with the current setup, ATA when it sets up the call opens the required extra ports as part of the connection.

    I use the default XG NAT rule.

    I have my VoIP ATAs on a seperate network, but previously they were on VLAN when I only had a 2 port XG. I limit the access via clientless users and static IP assignments as well as the FQDNs of the VoIP service providers.

    When I was using VoIP on the UTM i used to get phone calls directly from scammers so that is when I started limiting what the ATAs could connect and broadcast to.

    I have not adjusted UDP timeouts for VoIP, but I do have QOS enabled in the VoIP application policy to provide the VoIP devices with approx minimum 32 to 96 KB/s of shared capacity at the best settings in the XG.

    My link is a 50/20 and my wife talks for hours to her overseas cousins while I surf and play with file transfers without complaints. She also watch streaming TV at the same time.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the info Ian.

    Apparently this is the default RTP range:

    <RTP_Port_Min ua="na">16384</RTP_Port_Min>

    <RTP_Port_Max ua="na">16482</RTP_Port_Max>

    Perhaps my understanding is wrong, but since your rule is 'outbound', only servers that your ATA has established a connection with should be able to get back to the ATA. In other words, if there are no DNAT (inbound) rules, then there shouldn't be a concern of rogue servers trying to access your ATA.  Based on this understanding, I have not limited services for my ATA.

    I may try going back to my Asus router to see if the problem goes away.

    Thanks again.

    Len

  • 0 in reply to Len

    i will expand when i get homian

  • 0 in reply to Len

    Hi Len,

    on the UTM the VoIP protocols were broadcast which enabled strange people to call my phone number hence the tightened access rules. Once bitten twice shy.

    The ATA sets up a connection to the ISP VoIP server which then allows for incoming calls to use the existing session/connection  and does not require an incoming firewall rule or NAT rule. That is why the ATA registers with the VoIP server.

    Ian