NAT drops SIP registration over time



  • I've got a Cisco SIP phone that sits behind a pfSense RELENG_1 box.  It connects to my Asterisk server, and works just fine.  The problem I'm seeing is that, over time, Asterisk loses connection with my SIP phone.

    When I was running Linux/iptables on the same firewall box as I have now, I never had this problem.  Is there something I have to tweak in pfSense to get it to not drop NAT mappings?



  • Try to monitor the state of the voipphone via the shell menu (pftop). Does the state not renew it's expiration time? If not the phone doesn't contact the asterisk or viceversa when idle. In that case you might want to use a firewallrule with some advanced options to set a higher statetimeout or set the whole firewall to conservative optimization (at system>advanced).



  • In monitoring with pftop, I get multiple connections betwixt the phone and Asterisk…all listed in state MULTIPLE:MULTIPLE.  I don't know how to determine anything beyond that, but I have set optimization to conservative.  Reading the description for that makes it sound like it will fix the problem.

    Time will tell.



  • Wow…that didn't take long to tell if it worked or not.

    It didn't work.  ;D

    The NAT mapping was completely gone from the pftop output.  Do I need to modify the outbound NAT rules or the firewall rules (or both) to increase the state time as you suggest?



  • Only firewallrules.


Locked