Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 3 answers
  • Subscribers 26 subscribers
  • Views 20789 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VOIP Traffic Guarantee

Adrian De Santi

Hi All,

 

I have a customer that we have added a guarantee for VOIP Traffic 2Mb out of a 20Mb\20Mb connection. Have set the traffic shaping under System Services -> Traffic Shaping as follows;

 

 

Have also added a policy to limit web traffic in/out in order to reduce the download traffic so VOIP Traffic always has some guaranteed in bound as below;

 

VOIP Policy looks as follows;

 

I have created a VOIP firewall rule form the phone system outbound to gunanteed the VOIP / RTP Ports. The Web policy is on the default firewall rule.

 

Let me know your thoughts? I have also disabled SIP ALG as have always had issues with this. I have logged a support case but not getting much love.

 

Cheers,

 

Adrian



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to sachingurung

    Hi Thanks for checking over that, we can see the policy being (live connections in diagnostics) applied however the customer still appears to be having voice quality issues with VOIP. I am unable to show the customer how much of the 2Mb we have guaranteed is in use in megabits / kilobytes so i have no way to show at high usage times that its working correctly to prove the firewall is doing its job.

    Also if we have shaped the web traffic it really should mitigate the quality issues however i still see in the live graphs that the WAN link is fully utilised at times. Having a hard time narrowing down from the live traffic graphs what is utilising this bandwidth.

    Cheers,

    Adrian

  • 0 in reply to Adrian De Santi

    Hi Adrian,

    Cannot comment on why the WAN Link is fully utilized and where but, if the customer is facing bad quality via VoIP then you may try this  command in the XG's console. 

    set advanced-firewall udp-timeout-stream 150

    Why? Because Sophos XG Firewall has a default UDP time-out of 60 seconds which is usually low for reliable VoIP communication. Usually, the VoIP provider declares recommended UDP time-out for the best experience. 150 seconds should be a perfect value for most VoIP scenarios.

    Hope that helps.

  • 0 in reply to sachingurung

    Hi Sachin,

     

    Thanks for that however we already have this implemented, Any suggestions on how to observe the traffic shaping besides "system diagnostics utilities bandwidth-monitor"  i really need something that shows the breakdown and shaping being done and what part of the guaranteed bandwidth is utilised. Let me know if there's any other tool or reports that would help with this. Or if you need me to clarify configuration further.

     

    Console> show advanced-firewall                                                 
            Strict Policy                           : on                            
            FtpBounce Prevention                    : control                       
            Tcp Conn. Establishment Idle Timeout    : 10800                         
            UDP Timeout Stream                      : 150                           
            Fragmented Traffic Policy               : allow                         
            Midstream Connection Pickup             : off                           
            TCP Seq Checking                        : on                            
            TCP Window Scaling                      : on                            
            TCP Appropriate Byte Count              : on                            
            TCP Selective Acknowledgements          : on                            
            TCP Forward RTO-Recovery[F-RTO]         : off                           
            TCP TIMESTAMPS                          : off                           
            Strict ICMP Tracking                    : off                           
            ICMP Error Message                      : allow                         
            IPv6 Unknown Extension Header           : deny                          
                                                                                    
                                                                                    
            Bypass Stateful Firewall                                                
            ------------------------                                                
             Source              Genmask             Destination         Genmask    
                                                                                    
                                                                                    
            NAT policy for system originated traffic                                
            ---------------------                                                   
            Destination Network     Destination Netmask     Interface       SNAT IP 
                                                                                    
    console>                                                                       
  • 0 in reply to Adrian De Santi

    how does wan ip ping latency look monitored from an external location, ideally monitored between the voip provider wan ip and the client location wan ip? 

    we've used 3rd party netflow collector/analyzers to get visual traffic breakdowns in our equipment from other vendors to identify what's saturating available bandwidth causing latency spikes or saturation within hard limits we've set causing slowdowns for other traffic.   I haven't tried netflow yet in XG but the concept would be the same.

  • 0 in reply to Adrian De Santi

    Hi,

    You need to raise it as a feature request on Sophos Ideas. Alongside, there is a relevant feature request here, please vote if you find it similar to yours.

    Thanks,