Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wan Failover + 3CX Issue

Hi all, 

I have an issue with WAN failover and the 3CX phone systems we deploy, most of these systems are deployed so the network looks like the below:

Bridged Modem & 4G Modem ---> Sophos XG or Unifi USG ---> Rest of the network.

If the primary wan connection fails, the 4g connection takes over flawlessly, the issue comes in when the primary connection comes back online, seemingly all connections except for the phone system revert to the primary WAN, sometimes they will revert after a couple of days, other times I will have to physically unplug the 4g (even rebooting the handsets doesn't resolve the issue).

This issue occurs on both the USG & the XG Firewall when set to "Serve new connections through restored gateway", even with customized weights, when set to "Serve all connections through the restored gateway" this issue doesn't occur but it drops any active calls when the primary connnection comes back online.

Any help or guidance with this issue is greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hi Ashley Polst,

    I guess that the reason for this behaviour might be that there is an "always on" connection between something internal in the LAN and the internet part of the phone system. The other connections (e.g. HTTPs, downloads, ... ) revert to the primary connection because they time out after some time when not being used ...

    If the primary fails this works seemlessly as both types of connections are reestablished through 4G.

    Possible solutions could be to disconnect the 4G once a day (e.g. at night when nobody using it) or try to kill the connections to the internet part of your phone system.

    Regards,
    BeEf

  • Hi Bernd, 

    For the first part of your reply, is there anywhere I might be able see this connection active from Sophos Central? I have checked the packet capture tool and the live connections and nothing immediately jumped out to me, any ideas?

    Might be a strange question but is there any way to schedule disabling an interface or killing a connection from Sophos Central? the issue is that one of these 4g connections is setup halfway across the country and I don't have any way to access it remotely haha.

    Thanks for your response.

Reply
  • Hi Bernd, 

    For the first part of your reply, is there anywhere I might be able see this connection active from Sophos Central? I have checked the packet capture tool and the live connections and nothing immediately jumped out to me, any ideas?

    Might be a strange question but is there any way to schedule disabling an interface or killing a connection from Sophos Central? the issue is that one of these 4g connections is setup halfway across the country and I don't have any way to access it remotely haha.

    Thanks for your response.

Children
  • Don't you see a connection to (or from) the internet part of 3cx in your live connections? 

    There is a conntrack tool on the cli. I am not sure whether it is possible to figure out / see how long the connection is up. There is a timeout parameter but I'd assume that it only times out if no traffic is going over it. So if my theory is correct it does not switch back from 4g to primary wan because it never reaches the timeout of the connection.
    https://community.sophos.com/xg-firewall/f/recommended-reads/117389/sophos-xg-cli-troubleshooting-tools

    I don't know whether there is a way to do a scheduled disconnect on the 4g. Maybe on the internet phone system. Or if 4g has a dedicated WAN interface it would be at least possible to shut it down manually.

    What part of the phone system is internal to your network? I guess only the phones? Or is there a SIP trunk between internal device or PBX and the internet part? I assume that all permanent connections will go from internal to internet. But I am not sure. You should know.
     
    Here in my home installation I could easily disconnect the "primary connection" (there is only one) on my FritzBox (e.g. each day at 04:30 o'clock).

  • Hi Bernd, 

    I originally didn't see the connections because they were listed as "Other application", they are there but I wasn't able to find a timeout in Sophos Central, I have a conntrack output which lists a timeout but I'm not 100% sure if it's in seconds, I'm not super familiar with Conntrack.

    The Phones are internal and the phone system is cloud hosted, my belief now is that the registration between the phones and the phone system isn't closing, I have another issue where if the Sophos firewall is rebooted or shutdown, when it comes back online the phones won't register again until they are rebooted.

    conntrack -L -s 192.168.2.22 -d xxx.xxx.xxx.xxx    
    proto=udp      proto-no=17 timeout=57 orig-src=192.168.2.22 orig-dst=xxx.xxx.xxx.xxx
    06 orig-sport=5075 orig-dport=5060 packets=71846 bytes=31815970 reply-src=13.72.
    243.106 reply-dst=192.168.10.126 reply-sport=5060 reply-dport=5075 packets=47686
     bytes=25767321 [ASSURED] 
     
     Below is Sophos information, likely not relevant but I'll leave here just incase.
     mark=0x8002 use=2 id=1179159040 masterid=0 devin=Port1
     devout=Port3 nseid=0 ips=12 sslvpnid=0 webfltid=13 appfltid=0 icapid=0 policyty
    pe=1 fwid=5 natid=2 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0
     dpioffload=0x3f sigoffload=0 inzone=1 outzone=2 devinindex=6 devoutindex=8 hb_s
    rc=0 hb_dst=0 flags0=0x10800a000020000a flags1=0x5e002a04058 flagvalues=1,3,21,4
    1,43,55,60,67,68,70,78,85,87,89,101,102,103,104,106 catid=0 user=0 luserid=0 use
    rgp=0 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:d9:39:3c src_mac=80:5e:c0:ad:
    27:93 startstamp=1613456474 microflowid[0]=1047 microflowrev[0]=20 microflowid[1
    ]=504 microflowrev[1]=24 hostrev[0]=190 hostrev[1]=183 ipspid=0 diffserv=0 loind
    ex=8 tlsruleid=0 ips_nfqueue=1 sess_verdict=2 gwoff=0 cluster_node=0 current_sta
    te[0]=7754 current_state[1]=7754 vlan_id=0 inmark=0x0 brinindex=0 sessionid=2413
     sessionidrev=29400 session_update_rev=4 dnat_done=0 upclass=0:0 dnclass=0:0 pbr
    id_dir0=0 pbrid_dir1=0 nhop_id[0]=15 nhop_id[1]=2 nhop_rev[0]=0 nhop_rev[1]=0 co
    nn_fp_id=18446612133493377536 conn_fp_rev=0                                     
    conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.