SIP Phones/UDP session timeout



  • Hi there

    after reading a lot of previous posts on this forums, i'm still stuck with my SIP phones and the UDP Timeouts.

    my setup is quite simple:
    a dozen SIP phones, various vendors, in the LAN, SIP provider is in the Internet and public addressable.

    now, when i connect the phones all phones work as expected, calls in and out possible, RTP no issue. i'm able to see the session in the StatesTable, everything seems to be ok. but after around 60seconds the sessions are gone. that means i'm still able to do calls outbound (new outgoing UPD session), but inbound calls aren't possible, the phones won't ring (because theres no UDP session anymore).

    i did try quite a few things:

    • i created a Outbound NAT rule which does StaticPort (Yes, Advanced and this rule comes before the default outgoing)
      this rule made that the udp.src.port of the phone isn't translated to the public…this works fine except i have to change the udp.port of every phone to an induvidual one. eg. the Provider recives signaling on port 5066 which is my sipura box. -> works, but no solution to the timeout issue

    • i created a Firewall rule for UDP, Source mylan, destination the whole SIP provider Network. using the Advanced Button i set the timeout value to 300, and was also playing around with the State Type. without success. i also did the same rule on the Wan interface... also without success.

    • i modified /etc/pf.conf, increasing to 'set timeout { udp.first 600, udp.single 300, udp.multiple 600 }'; activated these timeouts with 'pfctl -f /etc/pf.conf': no SIP traffic at all. none of the phones were able to register anymore until a reboot of pfsense...

    unfortunately its not possible to decrease the re-register time or use STUN on some of the phones.

    so, quick'n'dirty question: is it possible to increase the UDP Session timeout to e.g. 600seconds? if yes, how?

    cheers & thx



  • This has been answered somewhere else already. Please search before opening new posts. Will answer nevertheless  :)
    When creating/editing rules you will see some "advanced" buttons. You'll find a statetimeout option behind one of them.



  • "- i created a Firewall rule for UDP, Source mylan, destination the whole SIP provider Network. using the Advanced Button i set the timeout value to 300, and was also playing around with the State Type. without success. i also did the same rule on the Wan interface… also without success."

    He did use the advanced button :)



  • Ok, too many missed posts and I'm obviously reading too fast through some of them  ::)



  • no worries :)
    i also made sure that these rules comes before any other….common mistake :)

    it's quite interesting that the combination of /etc/pf.conf and the Firewall rule seems to work. when i do have the rule in place and set the pf.conf timeouts, the phone stay's registered for >3min.

    but, a reload of the rule or some other event causes pfsense to set the timeouts back to 60/30 seconds.

    despite i'm quite familiar with unix systems i wasnt able to find a 'proper' way to increase these values forever... i guess the /etc/pf.conf file is just a deadbody from the underlying BSD and isn't used by pfsense? where does pfsense store such values?

    cheers



  • now i got a situation where the phone stay's connected:

    • Firewall rule (UDP/TCP) lan -> Sipprovider, 600sec timeout, StateType NONE(!). activate this rule
    • Activating pf.conf timeouts (with pfctl -f /etc/pf.conf)

    and my sipura box stays registered…. and say's 'ringing' when i do a call after 150seconds.... :)))

    what means Statetype=none exactly?

    i'll do some additional tests this evening with a snom and a sj-softphone ...

    cheers



  • So..took a bit longer than expected…

    i was playing around with a Sipura SPA2000, Snom190 and the SJ softphone...and these **** Phones behave differently all toghether. while the snom said its not registered it was ringing anway on a incomming call...and the sipura wasn't ringing despite it was registered....

    anyway. i did experience that setting the timeout in the Firewall rule didn't change anything. after 60 seconds the session was gone, no inbound calls alltoghether.
    setting the timeouts in pf.conf enabled the real timeout. despite some of the registrations failed, when the phones could register they stayed registered up to 10 minutes.
    the setting for the State ("keep state"/"none") didn't change anything at all.

    conclusion: SIP on UDP basis sucks :)

    now while testing i noticed that the udp timeouts from pf.conf (i guess thats the systemwide timeouts) changed all the time back to 60seconds. when a phone registered within the 60second timeout and i set the timeout to a higher value the registration was gone. so it was quite difficult to do some serious testing with this behavior :(

    so how can i set the system udp-timeouts at boot time so that my pfsense always use 10minutes for UDP? the timeoutvalue within the firewall rule is useless for this....

    cheers



  • State timeout is for TCP only.

    You might visit system -> advanced and set the firewall optimization mode to conservative.



  • Hi There

    didn't try that one yet.

    but isn't there a configfile or configoption which affect the UDP timeout's itself like the /etc/pf.conf does?

    cheers



  • Yep, I just mentioned it.


Log in to reply