Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PF 2.0.2 + VPN + VOIP (1720) states need manual clearing

    Firewalling
    2
    4
    1613
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deresistance last edited by

      The setup is two PFsense boxes on each end of the tunnel.  I have used both OpenVPN or IPSEC both have the same issue.  The remote location has an Avaya phone connecting to the main office.  I would say after a few hours (could be as much as 8) the phones can no longer connect.  The phones do not all do it at the same time but they will all eventually disconnect.  By a disconnect the system shows a TCP connection to them just fine.  I think the traffic on port 1720 is hung so the phone cant open a new session back so it just hangs and beeps.

      To fix the issue I have to go into the states table on BOTH pfsense boxes and clear anything dealing with ports 1720.  On all these test the circuit connecting the sites are solid no IP changes or disconnects.  I am not using QOS (since I dont control the hops between the location).

      I have done the following as per other articles  (I have tried combinations as well) (These settings are on BOTH pf boxes at the same time)
      -Disable Firewall Scrub
      -Firewall Optimization Options (tried conservative and high latency)

      Its for sure a states issue if I physically restart the phone (and it retains the same IP) it will come up fully but no dial tone in a hung state.  Exactly the same when this happens.

      I would like to do a packet capture but trying to get a better time for when it happens.

      Anyone else got any suggestions?  I have read people settings cron jobs to kill the states table which will effect lots of other things.  All devices on the ends work 100% except for the voip phones.

      1 Reply Last reply Reply Quote 0
      • D
        deresistance last edited by

        Opened a commercial support ticket.  I have been trying a ton of other items.  I will post results and fixes if we can figure it out  ;)

        1 Reply Last reply Reply Quote 0
        • D
          deresistance last edited by

          Support was able to give me a tip.  Keep alive is required internally for our Avaya phones but plays nasty with the remote phones.  it seems to keep the states open but the phones want a new state or visa versa.  Either way in the Avaya main system you can set IP ranges to turn off keep alive.  We did that an every Avaya phone has been online for 2 days now with no disconnect.  I did leave my PFsense boxes in "conservative" for the Firewall Optimization Options.  It may or may not be needed.  This applied to both IPSec and Openvpn but I have settled on OpenVPN.  Just seems to play so much nicer overall.

          1 Reply Last reply Reply Quote 0
          • G
            gabrielpc1190 last edited by

            I'm having a similar problem but with my Asterisk box and VoicePulse service.
            The service works well but after a day or two, the asterisk box lost its registration with VoicePulse.
            I can reboot asterisk box as many times as I want but the registration fails.
            Then I go to my pfsense States Table and look for the state that has ipofasterisk:5060 > ipofpfsense:randomport > ipofvoicepulse:5060. Then I clear that state and the box registers inmediately and creates a new state.
            Maybe is the same thing, maybe is another thing. I don't know if I have to open a new thread for this.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post