Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best option for SIP failover

Status
Not open for further replies.

reincubate

IS-IT--Management
Oct 8, 2009
3
GB
We've just started a migration to SIP and I'm looking for some advice on how best to ensure reliable failover or redundancy.

The PBX is an IP Office 9.1 and the SIP trunks are provided by Gamma via a reseller. We have Palo Alto PA-220 firewall connected to two different ISPs on two WAN interfaces. Each ISP has their own IP range. The idea is that WAN1 is a leased line, and WAN2 is a backup VDSL line. The Palo routes all traffic over WAN1 by default and automatically switches to WAN2 (by adding a new static route with a lower metric) if WAN1 loses connectivity. Once WAN1 comes back the Palo automatically removes the temporary route so all traffic goes back to WAN1.

The SIP trunks are configured on the IPO with static port blocks and the relevant ports have been opened on the firewall with a bi-directional static IP mapping to a dedicated public IP provided to us by ISP1 . This IP is hard-coded into the IPO config under network topology.

This works fine as long as ISP1 is up and running. However we've recently had a couple of issues with ISP1 and that has gotten us thinking about how to implement failover.

The problem as I see it is the public IP that has to be hard-coded into the SIP packets. Although traffic fails over to WAN2 with no problem, since the IPO is still putting the IP address from ISP1 into the SIP packets and thus the incoming SIP data is going to the wrong IP address.

My first thought was to use STUN to get the IPO to pick up the correct IP address. However it would appear STUN only runs once each time the IPO is rebooted. That would mean that in the event of WAN1 failing someone would have to manually reboot the IP Office in order for it to trigger STUN to pick up the correct public IP. This is clearly not ideal (although could be tolerable in a worst-case scenario if nothing else works)

Currently I'm wondering about some sort of border device. This could be a full blown SBC or it could just be some sort of SIP Proxy or B2BUA . The idea would be that we could connect ISP1 and ISP2 to two WAN ports on the border device, then connect the LAN on the IP Office to the LAN on the border device. We'd then configure the IP Office to use the LAN IP of the border device as the SIP trunk endpoint and configure our Gamma SIP trunks on the border device. The border device would need to be capable of failover so in the event ISP1 fails, the border device would re-establish the connection to Gamma using ISP2 instead. The IP Office could then happily sit there never needing to know what route traffic was using to actually go in and out of the network.

Does such a device exist? I know SBCs do, but I don't know if any of them have that sort of dual WAN failover capability (or if they do, are they stupidly expensive)? Alternatively is there a better way to provide redundancy/failover (for example can the IP Office be forced to re-poll the STUN server every few minutes?)

Thanks in advance for any suggestions.

Andrew

Reincubate - Accelerating growth of start-up & entrepreneurial businesses
 
you can do this with gamma active standby, speak to your business partner
 
How would that work with the IP Office? I presume we could set up the standby trunk as a different SIP line but you'd still have the problem of it having the wrong IP address sent in the SIP packets as that's hard-coded on the LAN interface on the IP Office? Or am I being thick...

Reincubate - Accelerating growth of start-up & entrepreneurial businesses
 
Not sure if this helps but the docs say

When selected, the system will rerun STUN discovery whenever the system is rebooted or connection failure to the SIP server occurs.
 
Does the Palo-Alto do SIP transformations?

Whilst we usually turn it off and use network topology we have one customer with this type of setup and for them we do not use network topology but instead use SIP transformations to amend the SIP packets from the IPO to include the public IP instead of the private one, and the main benefit is the firewall adds the IP of whichever Internet connection the SIP is using at that time (be it primary or secondary connection).

But then this is using a voiceflex SIP trunk on username/password authentication and not IP authentication. With a Gamma trunk in this scenario you would still need to update the Gamma portal with the change of public IP address.

| ACSS SME |
 
Best option for Failover is an ISDN trunk [vader2]

That way you have a route that is completly independent form Internet/data network and.or Gamma failures.


Do things on the cheap & it will cost you dear
 
Thanks for the suggestions. I had turned off the ALG on the Palo Alto but it may be worth seeing it will rewrite the packets properly (although I know most ALGs are pretty rubbish at doing that properly) The whole idea is to replace our existing ISDN30 so it wouldn't really make much sense keeping ISDN as a backup, although we are going to keep an analog line or two around in case of emergency. I'm also future-proofing as ISDN is on the way out (although I'll believe the 2025 deadline when I see it!)

I'll get our reseller to speak to Gamma to see if they have any options, even if it's as simple as registering our backup IP address against our SIP trunk or having a second trunk ready to be spun up on that IP.

If we did go the SBC or Sip Proxy route can anyone recommend any decent but affordable kit? I've heard people say good things about the Audiocodes devices...

Reincubate - Accelerating growth of start-up & entrepreneurial businesses
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top