Preferred routers/firewalls for SIP on IPO

[liquidshokk]

Hi

We are considering ditching draytek routers for Avaya IPO SIP installations, due to suspecting them to be at fault for a number of issues we face.

The question is, what do we use instead? We currently use the draytek firewall routers in house and for installs, so don't have a separate firewall, however we have been advised that Juniper firewalls work well with SIP. I don't know if these are a viable/quick solution for IPO installs though, due to the amount of configuration required on them.

What are the quickest/simplesT/most stable and reliable routers/firewalls for IPO SIP?

 

[liquidshokk]

Not very busy. Maybe 4 or 5 calls going through at max at one time.

This morning we had reports that a customer couldn't get through on an 0800 number pointing to a local DDI, but every time we test it has already resolved itself. It's happened on other numbers too.

The numbers are pointing to auto attendant, but no congestion or any reason to believe it is voicemail failing

Not sure if coincidence but seemed at one point that making an outbound call fixed the inbound issue, as if it was forcing the connection back up somehow.

5060 is pointed to IPO in open ports, along with RTP ports just in case.

Seems to be happening every couple of days at the moment...

 

[hairlessupportmonkey]

Ah - OK. I suspect your NAT rule isnt right.

If making an outbound call works and allows another call in, then that will be the NAT ports left open from the outbound connection.

is port 5060 set to TCP or UDP?

ACSS - SME
General Geek

 

[liquidshokk]

I'm thinking we may need to have a discussion around your WG offerings HSM

This is what we have configured under open ports on the draytek;

TCP/UDP 5060-5080
TCP/UDP 3478
UDP 49152-53246

All pointing to the IPO.

There is also an entry for 5060 UDP under port redirection pointing to the IPO.

Strict firewall/SIP ALG turned off.

 

[hairlessupportmonkey]

remove the port redirection entry. Thats if you want to direct one port from one number to another. i.e say port 80 on the outside to say port 8080 on the inside.

all you need is Port 5060/UDP in Open ports. remove all the other bollocks.

You can email me sean_at_vale-comms_dot_co_dot_uk

ACSS - SME
General Geek

 

[liquidshokk]

OK, so I only have 5060 in the open ports now but just had another report of customers not being able to get through, despite the lines being fine every single time I call in.

Just checked STUN server settings as its set to run on startup and its showing as "Port restricted Cone NAT". I was under the impression SIP can work perfectly fine with this firewall type?! I'm guessing there is nothing else I can do on the draytek to make it more open if this NATing is the problem?

 

[liquidshokk]

Also... Interestingly, I just made a change to the NAT settings on the draytek, called in and got dead air so I waited and tried calling out from my deskphone and as soon as that call connected my inbound call suddently connected....

?

 

[hairlessupportmonkey]

it almost seems like the SIP ALG isnt off.

ACSS - SME
General Geek

 

[liquidshokk]

Just double checked and sadly its not.

 

[hairlessupportmonkey]

Problem solved then?

My Invoice is in the post.

ACSS - SME
General Geek

 

[liquidshokk]

Are you saying it should be ON???

I thought it needed to be off because it causes problems????

 

[hairlessupportmonkey]

It needs to be OFF!

ACSS - SME
General Geek

 

[liquidshokk]

Oh I see the confusion....

No, it is off already

 

[hairlessupportmonkey]

I see.

is it on the latest firmware?

ACSS - SME
General Geek

 

[liquidshokk]

No..... But I've just noticed these "somewhat" relevant fixes in the latest release;

13. Two IP phones behind NAT are unable to call each other after a period of time
14. SIP ALG: "via" information was not being modified correctly