Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 49634 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SIP Trunking Broken By XG V16?

DavidPeterson

I'm trying to migrate from a Sonicwall to XG115 V16.  I've been running two different SIP gateways through the Sonicwall from the same PBX, serving two different tenants.  When I move to the XG I get one way audio problems and my SIP soft phone app on my Android can no longer register through the XG. 

I tried the "system system_modules sip unload" command which didn't seem to help.  The Allworx PBX automatically rewrites the WAN-bound packet's internal address as the public address for return traffic to use, and all I ever did on the Sonicwall is enable what they call Consistent NAT.  Interestingly, when I effectively disabled that by telling it the public address to use was actually the private IP I got two way audio going on the desk phones, though calls would drop after a few seconds.  The soft phone would register but not have audio either direction.  I may be mixing up the combination of things I did, but bottom line is I need some feedback on if there are issues I'm beating my head against the wall on, or some settings I need to know about.  I saw one article referring to disabling DOS setting, but did not see that in V16.

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    David,

    from the command line use the command (drop-packet-capture "host ip") without () and see if there is some blocked traffic for the SIP/PBX.

    Thanks

  • 0 in reply to lferrara

    Luk, I will definitely try.  I was up against the wall time-wise last night and had to put the Sonicwall back in place.  I won't be back in town to try again for a couple of days.

  • 0 in reply to DavidPeterson

    HI David 

    Seems such issue is Random in Nature and also heavily dependent on SIP module on XG . MY suggestion is that if possible try to configure the XG in Proxy ARP , this would work with no issues and would not depend on XG. 

    You may follow the Steps as per the KB article https://community.sophos.com/kb/en-us/123525

    Thanks and Regards

    Aditya Patel

  • 0 in reply to Aditya Patel

    Thanks, bu your link seems to be bad.  Please give again.

  • 0 in reply to Aditya Patel

    Sorry Aditya,

    but your link is accessible only from internal Sophos Staff. Here the public link:

    https://community.sophos.com/kb/en-us/123525

    Thanks

  • 0 in reply to lferrara

    Okay, doesn't look too awful, but the big question is why?  It sounds like Sophos knows there are issues with SIP handling since it has come up in other threads.  Why don't they just fix it?  Are they planning to?  There shouldn't be workarounds for common things like SIP.  Thanks.

  • 0 in reply to DavidPeterson

    HI David, 

    The issue may occur due to NAT of the firewall rule but that also based on Speculation and if it works with Proxy Arp with no issue , I would suggest a need an individual diagnose of such issue . By any chance have you log a Case with Support . , IF SO you may Private message me the SR number and the link to this thread for reference. 

    Thanks and Regards

    Aditya Patel

  • 0 in reply to Aditya Patel

    Sorry, this has sat for nearly three months, but I've had other things to do, and can only do this after hours when in town, since phone service is lost each time.  I tried to implement proxy-arp to no avail - no difference.

    With one SIP trunk, if I dial in from the outside I get 2-way audio.  If I dial out, no audio either way.

    The other SIP trunk, can't dial in at all, never rings on the outside phone, eventually errors with the source carrier (Verizon wireless) saying call can't be completed as dialed.  If I dial out I get outbound audio but not inbound. 

    If I do packet captures on the firewall it shows inbound traffic processed by rule ID 0.  What is that?  I've got no rule 0.  For the second trunk it shows source and destination both on UDP 5060 repeatedly, trying over and over again, rule 0.  It seems the XG is either not sending it to the PBX for some reason, or altering the port

    I strongly suspect something is broken in NAT.  Contacting tech support is completely useless as they have responded on other cases many hours later, literally at like 2am, and then if you try to get back to them in the morning, you MAY hear back much later in the day, and I can't leave this thing connected and the PBX down, not spend all kinds of extra time out of town waiting for the phone to ring.  Do these guys not have a concept of time zones?

  • +1 in reply to DavidPeterson

    I never understood the proxy ARP involvement...   What IP to ARP for?

    To troubleshoot, I'd do a simultaneous capture on both WAN and LAN link. Look into SIP packets to see what RTP addresses are, make sure "symmetric" ports are being used.
    Allow outgoing RTP,  on "symmetric" ports return traffic should flow automatically

    Make sure phones use either NAT-keep-alives or low re-register timer, so dynamic UDP 5060 translation stays alive, allowing incoming calls (at least ringing...). And allow udp5060 outgoing

  • 0 in reply to sixteen again

    Yeah, my next step was to Wireshark the packets between the XG and the PBX and see if they were still at the right ports.  I ran out of time and patience last night I was there.

    The phones don't talk to the Internet, only through the PBX.

    Are you suggesting a business rule for the PBX that is LAN-WAN, in addition to the current WAN-LAN?  it's not something I've had to do on Sonicwalls, which I've done all my previous SIP trunking on, but from some other behaviors I've seen on the XG where you have to make firewall rules for things other firewalls create automatically, it may make sense.  The Sonicwalls you can just tell to use consistent NAT on VoIP traffic. 

Reply
  • 0 in reply to sixteen again

    Yeah, my next step was to Wireshark the packets between the XG and the PBX and see if they were still at the right ports.  I ran out of time and patience last night I was there.

    The phones don't talk to the Internet, only through the PBX.

    Are you suggesting a business rule for the PBX that is LAN-WAN, in addition to the current WAN-LAN?  it's not something I've had to do on Sonicwalls, which I've done all my previous SIP trunking on, but from some other behaviors I've seen on the XG where you have to make firewall rules for things other firewalls create automatically, it may make sense.  The Sonicwalls you can just tell to use consistent NAT on VoIP traffic. 

Children
  • 0 in reply to DavidPeterson

    Indeed you need a LAN->WAN "user network rule" for the PBX, so the pbx is allowed to setup sessions on its own.

  • 0 in reply to sixteen again

    Finally got back there Friday for awhile and realized, yes, I'd previously tried a LAN-to-WAN PBX rule NATing to it's public IP, which I'd forgotten with all the other things tried.  I also tried an outbound business rule, but the setup choices don't seem to allow that

    One would think that with the inbound business rules, set to reflexive, that would have been enough.

    So, just to summarize, all I should need is the SIP module disabled, inbound business rules using the DNAT/Full NAT option, masquerade to the PBX public IP, reflexive, and what else?  I should add the PBX embeds the public IP in the packet for SIP so the other end returns to the public IP and not the private, if that matters. 

    The only other thing to try is packet sniffing inside the firewall. 

  • 0 in reply to DavidPeterson

    DavidPeterson said:

    Finally got back there Friday for awhile and realized, yes, I'd previously tried a LAN-to-WAN PBX rule NATing to it's public IP, which I'd forgotten with all the other things tried.  I also tried an outbound business rule, but the setup choices don't seem to allow that

    One would think that with the inbound business rules, set to reflexive, that would have been enough.

    So, just to summarize, all I should need is the SIP module disabled, inbound business rules using the DNAT/Full NAT option, masquerade to the PBX public IP, reflexive, and what else?  I should add the PBX embeds the public IP in the packet for SIP so the other end returns to the public IP and not the private, if that matters. 

    The only other thing to try is packet sniffing inside the firewall. 

     

     

    David,

    I'm also an Allworx dealer and am having fits with simple deployment with my first XG appliance.  Have you found a solution?

    My issues, like yours center around "no audio" issues.  This includes lack of audio on a Reach call on local network between Sophos built-in WiFi and LAN (bridged together). None of this making any sense. I'm inclined to put the Allworx in Firewall mode and run a cord around the Sophos and into the ISP's switch to use a dedicated public IP just to get things usable if I can't get this to work soon.  Ugh.

    I's appreciate any info you have that would solve this problem.

    Gratefully,

    Earl

  • 0 in reply to PorkChop

    Sorry, but my solution was to put the Sonicwall back in place!  While I haven't been monitoring this forum too closely, pretty much having given up on the product until V17, AFAIK there have been no fixes since my post to address this.