I have an issue that has plagued us since version 6.x, and all versions of 7.x so far.
Here is our setup.
SIP PBX is co-located outside of our network on a public address.
SIP phones (Cisco 7940) are DHCP clients on the internal network.
I have setup VOIP Security for SIP and configured it with my PBXs address and the LAN Network in the settings. All phone work as expected. However if I reboot Astaro, most of my phones stop working. They are unable to register with the PBX. Here are two example phones after a reboot:
Phone 1: 192.168.1.110 - Not working
Phone 2: 192.168.1.120 - Working
If I switch the IP addresses around then I get the following:
Phone 1: 192.168.1.120 - Working
Phone 2: 192.168.1.110 - Not working
As you can see the problem follows the IP address.
I did some other experimenting with the non-working (192.168.1.110) IP address. I assigned it to my local interface on my laptop and then tried to browse the web, which worked just fine. But when I tried to run my software based SIP client it failed to connect. The non-working phones can still connect to the TFTP server on startup and can access other phone features such as a directory via HTTP, but cannot make or receive phone calls.
The only thing I can see that the phones (that don't work after a reboot) have in common are that they might have been used recently (relative to the reboot of ASL) to make calls.
What we normally do to remedy the problem is set any phone that doesn't work to an IP address in a reserved range temporarily to get it working. Then a few days later we switch them back to DHCP (most of the phones end up getting their same addresses they had before the reboot) and they continue to work. (Or we totally forget until the next time we need to reboot ASL and the phones stop working again and we switch any static IPs back to DHCP and vice versa)
While this is happening I cannot see any dropped packets in the packet filter log.
Any ideas what I am doing wrong here?
Other configuration on the ASL:
Mail Security:
Simple SMTP configuration mode, routing two domains to one mail server.
Default Virus, Spam config
Network Security:
A couple of server setup behind DNAT for HTTP and MS Terminal Server.
UPDATE: 01/23/2009
I was experiencing issues with the Process and RAM being pegged at almost 100% and our two T1s also being maxed out. I investigated but was unable to determine the cause. I went ahead and updated to the most recent version and rebooted. As expected my SIP issue occurred again. This time I attempted to add a packet filter rule (PBX -> All -> All - Allow) to see if that would remedy the problem. It did not work, but while watching the packet filter log I noticed something interesting. I kept seeing packets coming from our PBX and going to the astaro public interface being dropped as "Default drop" even with an explicit rule in place to allow them. The odd thing is, I also saw packets (highlighted in grey) being allowed to and from my PBX at the same time. It's as if there is some weird selective rule hidden somewhere that only applies to some IP addresses.
This thread was automatically locked due to age.