Configuring SIP Trunks on LAN2 of IP Office 500v2

[CTravel]

Hi,

I've had no end of problems with getting my IPO500v2 working with SIP behind my NAT firewall (registration and audio), so have decided to give it a Public IP on LAN2.

I thought this would solve myproblems.
However:

1) SIP registration appears to be holding up ok
2) Some calls work as expected, others there is no audio.

I have LAN2(WAN) using the Avaya Firewall Profile.
Not knowing much about how this works in relation to the Avaya internal services, I have it set as default (to allow Out).

I have also set up a custom rule which allows bothway communication between the specific IP of the SIP Server and the IPO.

Since I can't find and information on how to configure this, I believe this to be the problem.


Can anyone help ? (It's not as easy as choosing UDP/TCP + specific ports - well not to me)

Thanks in advance

 

[Bas1234]

Ask your provider which port range they use for the RTP stream. NAT that range from external to the internal ip of the IPO.

so to register port 5060 needs to be fwd, but also a range for the RTP stream.

some use 10000 - 15000 or 30000 - 31000

They way you have it now (ipo public ip) no need to do NAT. Is the Firewall enabled on the LAN2? if so turn it off. Sure there are no NAT translations anymore? Reboot the router hangs when changin NAT rules. Also check in the trace from Sysmon if you send the internal IP address if so, then you forgot to enter the public IP on the LAN2 port.

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged
___________________________________________

 

[CTravel]

Hello,

Thanks for coming back to me.
As I've got it on LAN2, I'll try to see this out, and if not I will have to revert to the NAT solution.

So, if I turn the firewall off on LAN2, how to I prevent access to the configuration or status information (other than password) ?

Thank you


This is the page the provider give for firewall information:

http://www.gradwell.com/support/wiki/voip/natfirewallandportfowardingissues

 

[Bas1234]

^ Ask your provider which port range they use for the RTP stream.

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged
___________________________________________

 

[hairlessupportmonkey]

Id say there is an issue with STUN if some calls work and others dont.

I wouldnt put your IPO on a public network.

you need to run Sys monitor on the SIP calls and see whats actually happening. we run SIP trunks happily behind NAT and only need port 5060 UDP open in NAT and / or the firewall depending on the router you use.

what router are you using?

ACSS - SME

 

[CTravel]

Hi,

I too am not overly happy with putting it on the public network, but my main concern is to get a reliable working configuration, which I can revert to whilst trying to sort out a NAT'ed solution.

I'm using a Watchguard FB X55e on 8.63.
Custom Policy Allows:

5060 tcp
5060 udp
3478 tcp
3478 udp
5080-5084 tcp
49152-53246 udp

Some of the above were added in desperation - by looking at the Gradwell "help" pages. Staff don't know anything about IPO's
The problem when running behind NAT was constant "trunk out of service"

Obviously this is my preferred solution, but either way I need to get the phones slightly more reliable than they are now.

Thanks

 

[hairlessupportmonkey]

OK, make sure the intrusion prevention is off.

Now on the little edge boxes, there are now NAT rules as such they are considered firewall rules.

You should only need Incoming rules, and one Any/any/allow outgoing rule.

you should only need an custom UDP 5060 rule on the incoming rules.

Also try a different firmware version on the watchguard, ive seen those x55e do some odd things on some firmware versions

ACSS - SME

 

[CTravel]

Ok.
Let me have a look at this later, as I've run out of time.
Thank you for your help. I'll make some changes and let you know what occurs.

 

[kwing112000]

Also on your SIP trunk how is your network topology set? have you tried to disable STUN by setting it to NONE and see what happens

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[CTravel]

Hi Kevin,

Thank you for your input.

I've tried various options in the topology settings depending upon whether I was trying it on LAN1 via Nat or LAN2 via the public IP.

None seemed to make a reliable difference.

I've currently reverted back to the LAN1/Nat option and the SIP trunk is currently registered (and has been for some hours)
The problem I now have is zero audio on some calls. Others are perfect. I've made a number of test calls and there does not seem to be a pattern.

I can't see anything obviously being blocked, but from my understanding it is likely to be the RTP(udp) settings.
However, as far as I am aware I've opened thee up quite liberally already (see a few posts above)

Going back to the Stun settings - this is one for the problems I was experiencing, in that the IPO couldn't determine it's external IP and port. A reboot of the IPO generally solved the issue.

So currently I'm none the wiser as to what the actual problem is.

 

[Bas1234]

Turn off the firewall, NAT all port from the range 10000 - 53246 udp.
If then still no audio then you're provider send it to the internal IP instead of the external IP.

When you have audio make a WireShark trace on LAN2 with a HUB and see which RTP ports the provider uses.

So open it all first, then close it step by step.

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged
___________________________________________

 

[CTravel]

Thanks Bas1234,

I'll widen the udp ports tomorrow to see if this makes a difference. As I was writing the previous post, I was thinking I ought to try this.

Can't do anything until tomorrow now.

 

[hairlessupportmonkey]

who is your provider? UK based?

ACSS - SME

 

[CTravel]

Hello HSM

I use Gradwell - so yes UK based.
Any reason ?

Thanks

Paul

 

[hairlessupportmonkey]

Well the BT IP exchange had this exact problem a little while ago where calls from the PSTN network over the IP network had speech issues.

can you ask Gradwell to do some wireshark traces of a call with no speech?

P.S - if you want to move off gradwell drop me note here

ACSS - SME

 

[CTravel]

Thanks HSM,

However, from my conversations they are very limited in what they will (or are able) to do.
I have considered moving away, but I'm going though quite a few physical BT changes at the moment, so until this project has completed I need to remain where I am.

Let me know your contact details somehow, and I will consider it once things have quietened down.

As to my current problem, I've not had a problem so far today, but that's not to say I won't.

Paul

 

[hairlessupportmonkey]

sean_at_vale-comms_dot_co_uk

we own 50% of a SIP provider with a direct connect into BTs 21cn network.

we have some very busy call centres on SIP on the IPO and all work exceptionally well and they will do proper traces to help diagnose issues!

ACSS - SME