Since upgrading to 19.0.0 we have a recurring issue where SIP connections get stuck without NAT. As best as I can tell:
- Firewall starts up, WAN connection(s) are not up yet
- PBX sends SIP packet to ISP
- Sophos XG records connection without any NAT
- WAN connections come up
- NAT is not re-evaluated, meaning SIP packets are leaving the network with internal LAN source IP instead of external WAN source IP (a security issue of its own, but not the topic of this post)
- SIP packets are sent every 30 seconds which keeps the un-NAT'd connection alive forever until the PBX is turned off for 60-3600 seconds (depending on SIP ALG on XG), or until I manually delete the connection from the conntrack tables
This never happened with 18.x.x or older.
For sites with a single static WAN I can hardcode the NAT rule to always be the WAN IP, and that works, but for sites with dynamic WAN IP, or multiple WAN connections (Fibre + 4G backup) this doesn't work.
The best possible solution I can come up with is to create a low priority dummy backup connection that is always up, and use the "Force connections back to primary WAN" setting. I haven't tested this, as testing is difficult with this fault.
Is anyone else seeing this? Any suggestions?
Thanks
James
This thread was automatically locked due to age.
