Remote phones cutting off at 20secs

Discussion in 'General' started by reynolwi, Jun 1, 2009.

  1. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    I am running elastix 1.5.2-2.2 and have phones where the elastix pbx is and at a remote site. The phones at the remote site are connected on a seperate subnet than the LAN Subnet and connect to the central site where elastix is over a IPSec tunnel.

    That site has two subnets - 10.25.19.0 (LAN) and 10.25.22.0 (Phones) and the gateway is a pfsense firewall box. The elastix box is on the 10.25.18.0 subnet and is also behind a pfsense firewall box. The phone traffic is actually coming thru the IPSec tunnel and the phones connect to 10.25.18.250 and register and work great but Ive noticed that the call drops sometimes at 20secs.

    From a remote phone i can dial the call park extension and put that phone into call park. The system announces what call park I am on and that call park extension lights up on all the phones blf. The music on hold starts playing and then right at 20secs the call park extension goes dead and the blf light turns off but the phone and elastix still show the call taking place until i hang the phone up but you can not hear anything.

    What could be causing this? This is the layout from 10.25.18.0
    Only the central site has an IPSec tunnel to the phone subnet 10.25.22.0 no other site has access. I have not seen any errors on any log so it makes me wonder what is going on. Can I not run the phone traffic thru an IPSec Tunnel?

    I attached the site layout. Only the central site has a connection to the second subnet on site 2 which is the phone subnet as shown in the layout.

    [​IMG]
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
  3. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    The ipsec tunnels are set to allow any traffic between the connected boxes no matter what tcp/udp port it is. so the firewall is not blocking ports on the ipsec rules
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    No but the connections might be getting "stale" with no rtp traffic either in asterisk or the tunnel.
    Ensure MOH is working on the parking lot and just sing along on the far end phone and see if the problem remains.
    Check the advanced options on the firewall rules for the timeout value
     
  5. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    The remote phones have also developed static sometimes and voice delays on both ends. I guess the voip traffic does not like going thru an IPSec tunnel. MOH works because when you call in and get the ivr or place a call on hold you here the music and it doesnt cut out. There is nothing blocking rtp traffic thru the tunnel. The tunnel is wide open for any kind of traffic.

    I would try and get the phones to connect going externally outside of the ipsec tunnel but with this newer version of elastix i have to figure where to put the this information...

    nat=yes
    externip=pbx.domain.com
    localhost=voip.domain.net
    localnet=10.25.18.0/255.255.255.0

    I have it in sip_general_custom.conf but it doesnt seem to help because the phones are not connecting.
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    either
    externip=<public ip xxx.xxx.xxx.xxx>
    or
    eternhost=<externally resolvable dns name>
    not both, pbx.domain.com is not an ip address and localhost is reserved for the loop back network adapter 127.0.0.1. These settings are fully covered in my previous voip-info reference (apart from the spurious localhost= ) , I seriously recommend you read it in its entirety. Best current practice would have these in in sip_nat.conf. In /etc/asterisk/sip.conf and it's temporal inclusions any later declaration overrides a previous declaration, you should check that.

    Although there may be no block to rtp traffic, each connection must be maintained in a state-table in the network devices to continue to pass traffic. I believe there is some discussion in the pfsense forum about stale/un-renewed connections, packet loss and latency problems over connected tunnel devices.
    Lot's of variables, It's just a matter of finding which one needs adjusting. FWIW I have many sip devices behind simple pfsense nat boxes that have worked flawlessly for years, it just works in my experience, there is even a siproxd module for newer pfsense's if your network gets too convoluted. So keep plugging on. and good luck
     
  7. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    Im seriously lost here and about to have a breakdown. This was working fine and now its not. I got one phone to successfully connect externally using pbx.domain.com and it works great but none of the other phones will connect like that.

    The last time i had these phones all working I was using a netgear vpn router and hooked the phones up to a dlink router behind the netgear and on the netgear set the dlink router ip as the dmz and they all connected externally to pbx.domain.com. The problem was though doing it like that meant i had to actually be at the phone to manage it because I could not access the webgui with the way they were connected.

    I tried to get the siproxd working on the pfsense box where all the phones having problems are but there is no audio when making a call. Maybe I didnt have it setup right or something, but the phone connected going externally with the proxy as 10.25.22.254 which is the phone subnet interface on the pfsense box.

    How do you have your phones set that connect thru a pfsense box to a remote pbx? I removed almost all the netgear boxes and replaced them with pfsense boxes all running v1.2.3RC1. The site where the phones i am having problems are at the pfsense box has 3 interfaces. 1 is the LAN (10.25.19.0), one is the Phone Subnet (10.25.22.0), and the last is the WAN interface. There are 4 grandstream phones on the 10.25.22.0 subnet and there will be 5 here shortly hopefully. Two phones are Grandstream GXP-2000, one is a Grandstream GXP-2020, and the last is a Grandstream BT-200.
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You have my commiserations:

    I'm sorry, but I can't troubleshoot your network for you, I have neither the access or to be perfectly honest the available time, you built a quite complex one!. But please let it suffice to say that if all the devices can see each-other, (they all have routes to get to each-other,) all ports are open and natted to correctly. The asterisk nat settings are correct and reflect both it's WAN location (the internet) and is binding to all the LAN's to which it expect to reply, then it should be able to rewrite the SIP/via's correctly and it everything should work.
    When you say pbx.domain.com then it should be possible to open a sip connection to it from anywhere using DNS to pbx.domain.com. If pbx.domain.com is not registered in the internet "DNS System" then you will need to rely on another name resolution protocol that works on all your LAN's . The remote device should be setup to register to pbx.domain.com on udp/5060. They will send a sip/register request to that device and , the via's will be rewritten as per the natting eventually each peer-phone in it's local network will be offered a SIP/invite and register on a random and unique port, and remain registered indefinitely (while the connection remains available anyway).

    The various nat/firewall devices will be responsible for rewdirecting and maintaining the negotiated sip connection complete with any redirection and state maintainance necessary and any resultant rtp connection's in a bi-directional fashion.

    You can trouble shoot all the above by using the sip debug and sip and rtp debug commands qualified with ip or peer to be more specific and watch the conversations on the asterisk CLI. And tcpdump on the remote LAN segments s if necessary.

    If it helps, use ip address for LAN and WAN connections whenever possible (you need a static public ip for your WAN/voip provider connections,) but inside the LAN you should use IP's.

    If you are not fully comfortable with what I am saying then I suggest you regress to the "last known good" state hardware and configuration. And then try again when less stressed step by step and cautiously.
     
  9. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    Then i do not understand why only one phone is able to make a connection from that site using pbx.domain.com and not any of the other phones. I am new to pfsense and I will get this mastered but it takes time and asking questions from people who have experience. I can not go back because I was using an older version of elastix and upgraded the box to get new features.

    I moved the information from sip_general_custom.conf to sip_nat.conf and set the options...

    nat=yes
    eternhost=pbx.domain.com
    localhost=voip.domain.net
    localnet=10.25.18.0/255.255.255.0

    Yes pbx.domain.com is a registered dns name. But the question is can phone traffic go thru an IPSec tunnel or is it better to connect outside the tunnel? If its better going outside the tunnel then I am going to have to figure why only one device on that network is allowed to connect.
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Then at least two things are mis-configured

    again

    localhost=voip.domain.net

    is nonsense, what is your reason for having it there, you obviously like it so there must be a reason for not following the voip-info doc.?

    as a quick fix set each phone to register on a defined and unique port, both on the phone and in FreePBX for example 5060 for phone 1, 5061 for phone 2 5061 for phone three. etc. this should excuse your nat devices from having to be provisioned correctly, just expand the firewall rules to encompass all the ports.

    Yes, VOIP work over networks, and IPSEC tunnels networks. so VOIP works over IPSEC but if anything is misconfigured you will have troubles with or without a VPN. As to what is better, I cannot answer that, each instance is unique, given processing power and bandwidth then VPN's are an excellent and secure choice. Your problem is I believe the networking/NAT/asterisk setup, which I'm sure you will eventually sort out.
     
  11. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    I did look at the voip-info doc. the only problem is my sip.conf doesnt have any of those commands and im guessing its because i have the newer version of asterisk. this is what my sip.conf file looks like...

    ;--------------------------------------------------------------------------------;
    ; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
    ; this file must be done via the web gui. There are alternative files to make ;
    ; custom modifications, details at: http://freepbx.org/configuration_files ;
    ;--------------------------------------------------------------------------------;
    ;

    [general]

    ; These files will all be included in the [general] context
    ;
    #include sip_general_additional.conf

    ;sip_general_custom.conf is the proper file location for placing any sip general
    ;options that you might need set. For example: enable and force the sip jitterbuffer.
    ;If these settings are desired they should be set the sip_general_custom.conf file.
    ;
    ; jbenable=yes
    ; jbforce=yes
    ;
    ;It is also the proper place to add the lines needed for sip nat'ing when going
    ;through a firewall. For nat'ing you'd need to add the following lines:
    ; nat=yes , externip= , localhost= , and optionally fromdomain= .
    ;
    #include sip_general_custom.conf

    ;sip_nat.conf is here for legacy support reasons and for those that upgrade
    ;from previous versions. If you have this file with lines in it please make
    ;sure they are not duplicated in sip_general_custom.conf, if so remove them
    ;from sip_nat.conf as sip_general_custom.conf will have precedence.
    #include sip_nat.conf

    ;sip_registrations_custom.conf is for any customizations you might need to do to
    ;the automatically generated registrations that FreePBX makes.
    ;
    #include sip_registrations_custom.conf
    #include sip_registrations.conf

    ; These files should all be expected to come after the [general] context
    ;
    #include sip_custom.conf
    #include sip_additional.conf

    ;sip_custom_post.conf If you have extra parameters that are needed for a
    ;extension to work to for example, those go here. So you have extension
    ;1000 defined in your system you start by creating a line [1000](+) in this
    ;file. Then on the next line add the extra parameter that is needed.
    ;When the sip.conf is loaded it will append your additions to the end of
    ;that extension.
    ;
    #include sip_custom_post.conf



    I will remove the localhost line out but only had it in there because once again my sip.conf file said it was needed for nat.

    I want to try and send the phone traffic thru the ipsec tunnel so that means i need to look at why the phones cut off at 20secs exactly. Is it something on the pfsense boxes i need to look at or on the phones? Point me in the right direction. I double checked the firewall settings on both boxes and neither are blocking sip or rtp traffic and tcp/udp ports 5060 and 10000-20000 are redirected to 10.25.18.250 on the 10.25.18.0 subnet pfsense box
     
  12. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    ok looking into the .conf files on freepbx this is what i found...

    sip_general_custom.conf
     
  13. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    Asterisk gets crazy when it has more than one interface to route sip and rtp traffic.
    And many times tries to send traffic using the wrong interface.
    Enable rtp debug in logger.conf and you will see what is going on with the voice traffic.
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I'm guessing that they are not there because you did not add them there, and thanks for the sip.conf file, It looks much like mine which I've already read a few times :)
    ----------------------
    I tried, albeit unsuccessfully, remember the keep-alive thingy?.
    Maybe reading "Elastix without Tears" and the other posts on these fora concerning NAT and name/ip resolution problems, further exploring the voip-info site, and debugging the sip/rtp streams as has been suggested a couple of times will help in finding your direction.
     
  15. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    reynolwi,

    Having read all of the posts so far, and coming in from the outside, I believe that you are going to give yourself a nice headache with the NAT setup.

    Your best bet is a well setup routed network, which includes IPSEC tunnels (VPN's). Correctly setup, there is nothing more sturdy and confidence building (e.g. as you change and expand your network).

    NAT, while very useful, is not for complex solutions, and not really for multi-port services. NAT is implemented differently on each device, but the issue comes from how applications handle NATing, and whether or not it is double-NATed.

    My clear recommendation is to go back to your IPSEC tunnels, and if you are having problems with breakup, static etc, then resolve the issue piece by piece.

    We set many of our systems up over routed networks, in most cases using IPSEC tunnels. If you had an issue with IPSEC VPN's then it might be an issue with Bandwidth control, QOS, and you are going to come across a similar issue with the NATed connections.

    Regards

    Bob
     
  16. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    asterisk does not have multiple interfaces. There are multiple subnets across the network that asterisk will be communicating with. I found that info on freepbx site and listed all the localnet= like i showed with the subnets asterisk will be talking with.

    after the addition of all the localnet= lines and rebooting the phones are not disconnecting after 20secs which sounds like i fixed my nat problem perhaps. Instead i now have static and garbled audio at times which may perhaps point to a codec problem?
     
  17. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    ok further update. the phones on the 10.25.22.0 subnet are staying up longer than 20secs on a call but there is garbled audio when they make an outside call only. Calls between extensions sound ok theres some audio distortion but not as bad as if you make an outside call from that subnet. The phone traffic is still going thru the IPSec VPN Tunnel so the additions to the .conf file when i added the extra localnet= lines must have fixed the nat problem.

    I have an audio problem now and like i said I guess its pointing me towards audio codecs... Right?
     
  18. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    Re:Remote phones problem

    Ok i did a sip show peer and this is what shows up. Under the NAT column on every peer it shows N which I am guessing is NO NAT. Is this correct?


    voip*CLI> sip show peers
    Name/username Host Dyn Nat ACL Port Status
    VP-SIPJFKB/gcq62ycF52 67.108.9.165 N 5060 OK (70 ms)
    VP-SIPJFKA/gcq62ycF52 64.61.93.190 N 5060 OK (68 ms)
    5010/5010 10.25.18.132 D N A 5060 OK (12 ms)
    3013/3013 10.25.22.207 D N A 5060 OK (170 ms)
    3012/3012 10.25.22.208 D N A 5060 OK (128 ms)
    3011/3011 10.25.22.210 D N A 5061 OK (265 ms)
    3010/3010 10.25.22.209 D N A 5062 OK (167 ms)
    2015/2015 10.25.18.120 D N A 5064 OK (23 ms)
    2012/2012 10.25.18.133 D N A 5060 OK (25 ms)
    2011/2011 10.25.18.136 D N A 5060 OK (26 ms)
    2010/2010 10.25.18.120 D N A 5060 OK (23 ms)
    11 sip peers [Monitored: 11 online, 0 offline Unmonitored: 0 online, 0 offline]
     
  19. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Re:Remote phones problem

    No N means they are NATTED nothing in that column means thay are not.
    Your 10.25.22.0 network has way too much latency to be acceptable.
     
  20. reynolwi

    Joined:
    May 5, 2008
    Messages:
    100
    Likes Received:
    0
    Re:Remote phones problem

    and the high latency is probably explains my problems with outbound external calls being garbled right
     

Share This Page