PF 2.0.2 + VPN + VOIP (1720) states need manual clearing
-
The setup is two PFsense boxes on each end of the tunnel. I have used both OpenVPN or IPSEC both have the same issue. The remote location has an Avaya phone connecting to the main office. I would say after a few hours (could be as much as 8) the phones can no longer connect. The phones do not all do it at the same time but they will all eventually disconnect. By a disconnect the system shows a TCP connection to them just fine. I think the traffic on port 1720 is hung so the phone cant open a new session back so it just hangs and beeps.
To fix the issue I have to go into the states table on BOTH pfsense boxes and clear anything dealing with ports 1720. On all these test the circuit connecting the sites are solid no IP changes or disconnects. I am not using QOS (since I dont control the hops between the location).
I have done the following as per other articles (I have tried combinations as well) (These settings are on BOTH pf boxes at the same time)
-Disable Firewall Scrub
-Firewall Optimization Options (tried conservative and high latency)Its for sure a states issue if I physically restart the phone (and it retains the same IP) it will come up fully but no dial tone in a hung state. Exactly the same when this happens.
I would like to do a packet capture but trying to get a better time for when it happens.
Anyone else got any suggestions? I have read people settings cron jobs to kill the states table which will effect lots of other things. All devices on the ends work 100% except for the voip phones.
-
Opened a commercial support ticket. I have been trying a ton of other items. I will post results and fixes if we can figure it out ;)
-
Support was able to give me a tip. Keep alive is required internally for our Avaya phones but plays nasty with the remote phones. it seems to keep the states open but the phones want a new state or visa versa. Either way in the Avaya main system you can set IP ranges to turn off keep alive. We did that an every Avaya phone has been online for 2 days now with no disconnect. I did leave my PFsense boxes in "conservative" for the Firewall Optimization Options. It may or may not be needed. This applied to both IPSec and Openvpn but I have settled on OpenVPN. Just seems to play so much nicer overall.
-
I'm having a similar problem but with my Asterisk box and VoicePulse service.
The service works well but after a day or two, the asterisk box lost its registration with VoicePulse.
I can reboot asterisk box as many times as I want but the registration fails.
Then I go to my pfsense States Table and look for the state that has ipofasterisk:5060 > ipofpfsense:randomport > ipofvoicepulse:5060. Then I clear that state and the box registers inmediately and creates a new state.
Maybe is the same thing, maybe is another thing. I don't know if I have to open a new thread for this.