Netgate SG-1000 microFirewall

Author Topic: NAT drops SIP registration over time  (Read 2161 times)

0 Members and 1 Guest are viewing this topic.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 133
  • Karma: +0/-0
    • View Profile
NAT drops SIP registration over time
« on: July 24, 2006, 02:24:04 pm »
I've got a Cisco SIP phone that sits behind a pfSense RELENG_1 box.  It connects to my Asterisk server, and works just fine.  The problem I'm seeing is that, over time, Asterisk loses connection with my SIP phone.

When I was running Linux/iptables on the same firewall box as I have now, I never had this problem.  Is there something I have to tweak in pfSense to get it to not drop NAT mappings?

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: NAT drops SIP registration over time
« Reply #1 on: July 24, 2006, 02:47:49 pm »
Try to monitor the state of the voipphone via the shell menu (pftop). Does the state not renew it's expiration time? If not the phone doesn't contact the asterisk or viceversa when idle. In that case you might want to use a firewallrule with some advanced options to set a higher statetimeout or set the whole firewall to conservative optimization (at system>advanced).

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 133
  • Karma: +0/-0
    • View Profile
Re: NAT drops SIP registration over time
« Reply #2 on: July 24, 2006, 03:04:28 pm »
In monitoring with pftop, I get multiple connections betwixt the phone and Asterisk...all listed in state MULTIPLE:MULTIPLE.  I don't know how to determine anything beyond that, but I have set optimization to conservative.  Reading the description for that makes it sound like it will fix the problem.

Time will tell.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 133
  • Karma: +0/-0
    • View Profile
Re: NAT drops SIP registration over time
« Reply #3 on: July 24, 2006, 03:28:19 pm »
Wow...that didn't take long to tell if it worked or not.

It didn't work.  ;D

The NAT mapping was completely gone from the pftop output.  Do I need to modify the outbound NAT rules or the firewall rules (or both) to increase the state time as you suggest?


Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: NAT drops SIP registration over time
« Reply #4 on: July 24, 2006, 03:52:17 pm »
Only firewallrules.