Voip.ms and cisco ata failing to register through pfsense firewall

  • I have an occasional problem where my cisco spa 2102 falis to register through the pfsense firewall.

    I have a NAT rule configured for static port for all udp traffic destined for ports 5060 and 10000:20000.

    I have a port forward rule to forward 16384:16482 (this is the RTP port range) from the firewall WAN to the cisco ata.

    The cisco ata is configured for for nat mapping and nat keepalive.

    And still every once in a while (most often after rebooting pfsense) the cisco ata fails to register.

    TCP packet capture show the outbound registration packet, but not the inbound response.  I assume the tcp packet capture is after the firewall rules are applied ?  The firewall logging doesn't log anything being blocked but I'm not sure a blocked udp packet would show.

    I would have expected the SPI to allow the response in.

    I have figured out how to "fix" it though.  I have to go in and find all the current states applied against the ata host and kill them.  Once I do that, things work again.

    But what I don't understand is, if it's a static port map, and the outbound and inbound ports area always the same (outbound to 5060 on the voip.ms side and source port of 5060 and 5061 - i have two ports active on my ata - on the cisco ata side) why would I need to kill the state to allow this to work?

Log in to reply