reincubate
IS-IT--Management
We've just started a migration to SIP and I'm looking for some advice on how best to ensure reliable failover or redundancy.
The PBX is an IP Office 9.1 and the SIP trunks are provided by Gamma via a reseller. We have Palo Alto PA-220 firewall connected to two different ISPs on two WAN interfaces. Each ISP has their own IP range. The idea is that WAN1 is a leased line, and WAN2 is a backup VDSL line. The Palo routes all traffic over WAN1 by default and automatically switches to WAN2 (by adding a new static route with a lower metric) if WAN1 loses connectivity. Once WAN1 comes back the Palo automatically removes the temporary route so all traffic goes back to WAN1.
The SIP trunks are configured on the IPO with static port blocks and the relevant ports have been opened on the firewall with a bi-directional static IP mapping to a dedicated public IP provided to us by ISP1 . This IP is hard-coded into the IPO config under network topology.
This works fine as long as ISP1 is up and running. However we've recently had a couple of issues with ISP1 and that has gotten us thinking about how to implement failover.
The problem as I see it is the public IP that has to be hard-coded into the SIP packets. Although traffic fails over to WAN2 with no problem, since the IPO is still putting the IP address from ISP1 into the SIP packets and thus the incoming SIP data is going to the wrong IP address.
My first thought was to use STUN to get the IPO to pick up the correct IP address. However it would appear STUN only runs once each time the IPO is rebooted. That would mean that in the event of WAN1 failing someone would have to manually reboot the IP Office in order for it to trigger STUN to pick up the correct public IP. This is clearly not ideal (although could be tolerable in a worst-case scenario if nothing else works)
Currently I'm wondering about some sort of border device. This could be a full blown SBC or it could just be some sort of SIP Proxy or B2BUA . The idea would be that we could connect ISP1 and ISP2 to two WAN ports on the border device, then connect the LAN on the IP Office to the LAN on the border device. We'd then configure the IP Office to use the LAN IP of the border device as the SIP trunk endpoint and configure our Gamma SIP trunks on the border device. The border device would need to be capable of failover so in the event ISP1 fails, the border device would re-establish the connection to Gamma using ISP2 instead. The IP Office could then happily sit there never needing to know what route traffic was using to actually go in and out of the network.
Does such a device exist? I know SBCs do, but I don't know if any of them have that sort of dual WAN failover capability (or if they do, are they stupidly expensive)? Alternatively is there a better way to provide redundancy/failover (for example can the IP Office be forced to re-poll the STUN server every few minutes?)
Thanks in advance for any suggestions.
Andrew
Reincubate - Accelerating growth of start-up & entrepreneurial businesses
The PBX is an IP Office 9.1 and the SIP trunks are provided by Gamma via a reseller. We have Palo Alto PA-220 firewall connected to two different ISPs on two WAN interfaces. Each ISP has their own IP range. The idea is that WAN1 is a leased line, and WAN2 is a backup VDSL line. The Palo routes all traffic over WAN1 by default and automatically switches to WAN2 (by adding a new static route with a lower metric) if WAN1 loses connectivity. Once WAN1 comes back the Palo automatically removes the temporary route so all traffic goes back to WAN1.
The SIP trunks are configured on the IPO with static port blocks and the relevant ports have been opened on the firewall with a bi-directional static IP mapping to a dedicated public IP provided to us by ISP1 . This IP is hard-coded into the IPO config under network topology.
This works fine as long as ISP1 is up and running. However we've recently had a couple of issues with ISP1 and that has gotten us thinking about how to implement failover.
The problem as I see it is the public IP that has to be hard-coded into the SIP packets. Although traffic fails over to WAN2 with no problem, since the IPO is still putting the IP address from ISP1 into the SIP packets and thus the incoming SIP data is going to the wrong IP address.
My first thought was to use STUN to get the IPO to pick up the correct IP address. However it would appear STUN only runs once each time the IPO is rebooted. That would mean that in the event of WAN1 failing someone would have to manually reboot the IP Office in order for it to trigger STUN to pick up the correct public IP. This is clearly not ideal (although could be tolerable in a worst-case scenario if nothing else works)
Currently I'm wondering about some sort of border device. This could be a full blown SBC or it could just be some sort of SIP Proxy or B2BUA . The idea would be that we could connect ISP1 and ISP2 to two WAN ports on the border device, then connect the LAN on the IP Office to the LAN on the border device. We'd then configure the IP Office to use the LAN IP of the border device as the SIP trunk endpoint and configure our Gamma SIP trunks on the border device. The border device would need to be capable of failover so in the event ISP1 fails, the border device would re-establish the connection to Gamma using ISP2 instead. The IP Office could then happily sit there never needing to know what route traffic was using to actually go in and out of the network.
Does such a device exist? I know SBCs do, but I don't know if any of them have that sort of dual WAN failover capability (or if they do, are they stupidly expensive)? Alternatively is there a better way to provide redundancy/failover (for example can the IP Office be forced to re-poll the STUN server every few minutes?)
Thanks in advance for any suggestions.
Andrew
Reincubate - Accelerating growth of start-up & entrepreneurial businesses
![[vader2]](/data/assets/smilies/vader2.gif "[vader2] [vader2]")