|
Joined: Jun 2006
Posts: 3,004 Likes: 4
Moderator-Samsung
|
Moderator-Samsung
Joined: Jun 2006
Posts: 3,004 Likes: 4 |
What lines do you have? Are the handsets on the system DGP or IP?
|
|
|
Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.
|
|
|
Joined: Jan 2010
Posts: 184
Member
|
OP
Member
Joined: Jan 2010
Posts: 184 |
White list seems fine also using mainly DGP one or two onsite IP phones that work fine and they are using ISDN line but the problem happens with internal calls and to VM as well not just external calls, firewall guys are doing a trace for me early next week.
|
|
|
|
Joined: Jan 2010
Posts: 184
Member
|
OP
Member
Joined: Jan 2010
Posts: 184 |
Hey
This is still going on, the Firewall people can see the problem just cant seem to fix it any one had a problem like this before or know a fix below is there response, also put their Nat settings at the end.
In short the firewall is seeing duplicate flows and dropping them due to the way we have NATted the traffic. Attached is how we have configured the firewall for the NATs, this is so calls can be made both outbound from the school and also inbound so you can take a phone anywhere and still get calls
Is the NAT configuration how you would expect it to be configured?, Is there any other way we can design the VOIP system to avoid duplicate flows?
I reviewed the data you uploaded and I found that the problem is related to the NAT design.Flow baisc logs shows that sessions on port 6000 and also on other ports (ex 30018) failed due to be installed because of duplicate flows being detected.
== 2016-11-14 13:44:18.346 +0000 == Packet received at slowpath stage Packet info: len 60 port 16 interface 16 vsys 2 wqe index 161389 packet 0x0x80000004146e88e6 Packet decoded dump: L2: 00:1e:49:f4:5c:1a->00:1b:17:00:01:10, type 0x0800 IP: 92.234.10.74->195.246.109.113, protocol 17 version 4, ihl 5, tos 0x00, len 42, id 395, frag_off 0x4000, ttl 50, checksum 44700 UDP: sport 6000, dport 6000, len 22, checksum 26650 Session setup: vsys 2 Allocated new session 89604. destination translation 195.246.109.113/6000 => 10.16.149.3/6000 DP0 is selected to process this session. Created session, enqueue to install Duplicate flows detected while inserting 179209, flow 2471112 with the same key<<<<<<<<<
A session is a combination of two flows, client to server (c2s) and server to client (s2c). As per the above packet two flow needs to be installed. c2s: 92.234.10.74/6000->195.246.109.113/6000 s2c:10.16.149.3/6000->92.234.10.74/6000
As per the log, the firewall detected that the flow with id 179209 matches an existing flow.The flow with id 179209 is the s2c flow(session*2+1).So basically there is another session with. c2s as 10.16.149.3/6000->92.234.10.74/6000 and a different s2c. My understanding of the traffic flow is that packet from 10.16.149.3/600 to 92.234.10.74/600 are expected because VoiP calls can be triggered from outside to inside and the other way around.
Traffic from 10.16.149.3/600 to 92.234.10.74/600 is also NATed as per rule Cathedral School Voice Outbound.Hence when the traffic is initiated from 10.16.149.3 the flowing two flows are created.
c2s 10.16.149.3/6000->92.234.10.74/6000 s2c 92.234.10.74/6000->195.246.109.113/X
I reviewed the flow basic logs and the same thing is happening on port 30018.
To make it working you need to change your NAT design in order to avoid that the flow of sessions initiated from outside matches one of the flows of sessions that are initiated from inside.
NAT #1 Source: Internet (Any Address) Destination: 195.246.109.113 NAT Address: 10.16.149.3 Port: UDP – 5090 TCP – 5180 UDP – 6000 UDP – 9000 – 9001
NAT #2 Source: Internet (Any Address) Destination: XXX.XXX.XXX.XXX NAT Address: 10.16.149.4 Port: UDP – 30000 – 30032 UDP – 40000 - 40128
NAT #3 Source: Internet (Any Address) Destination: XX.XXX.XXX.XXX NAT Address: 10.16.149.5 Port: TCP – 6000 - 6002 UDP – 30033 - 30035
NAT #4 Source: 10.16.149.3, 10.16.149.4, 10.16.149.5 Destination: Internet (Any Address) NAT Address: XXX.XXX.XXX.XXX Port: Any Port
|
|
|
|
Joined: Jun 2006
Posts: 3,004 Likes: 4
Moderator-Samsung
|
Moderator-Samsung
Joined: Jun 2006
Posts: 3,004 Likes: 4 |
You say
"Attached is how we have configured the firewall for the NATs, this is so calls can be made both outbound from the school and also inbound so you can take a phone anywhere and still get calls"
What do you mean by take a phone anywhere and still get calls?
Are the local ip phones configured with the public ip address of the system?
If so then you have what's called hairpining (or loopback). Some firewalls don't like that/can't handle it. This looks to be your issue from what the firewall guys are saying.
Why do the phones need to be setup like this? Do they take the phones offsite and then bring them back again?
|
|
|
|
Joined: Jan 2010
Posts: 184
Member
|
OP
Member
Joined: Jan 2010
Posts: 184 |
Hi
The phones are configured with the public IP and only used remotely.
I know what you mean when you try to use a phone with a public IP on a your local LAN I have had that before when customers have brought there phone s back in to the office.
But these are just set up like you would expect a remote phone to be.
|
|
|
|
Joined: Jun 2006
Posts: 3,004 Likes: 4
Moderator-Samsung
|
Moderator-Samsung
Joined: Jun 2006
Posts: 3,004 Likes: 4 |
It almost sounds like the remote site uses the main site for it's internet connection, is there a vpn or something between the sites?
|
|
|
|
Joined: Jan 2010
Posts: 184
Member
|
OP
Member
Joined: Jan 2010
Posts: 184 |
NO I have tried it on a few sites even taken it home and it's the same there also.
|
|
|
|
Joined: Dec 2010
Posts: 681
Member
|
Member
Joined: Dec 2010
Posts: 681 |
Here is a silly question. Do you have the public IP setup in both cards and have it all set to pri w/ public? Just covering all the bases here.
|
|
|
|
Joined: Jan 2010
Posts: 184
Member
|
OP
Member
Joined: Jan 2010
Posts: 184 |
Hi
Yes that's all correct I have sent my DB to Samsung and they have checked it over and it all looks good, I am doing some Wireshark traces tomorrow to send to them.
|
|
|
|
Joined: Jan 2005
Posts: 340
Member
|
Member
Joined: Jan 2005
Posts: 340 |
I have ran into this issue before. Phone works at my office just fine, but when it got to the customers there was no audio. I know this sounds weird but I had to open ports on the remote side of the customers router. I would assign a static internal ip address on the phone and then have to open ports on the remote router to that IP address. Try walking a user through that in another state. For what its worth my problem was with comcast at the remote end.
|
|
|
Forums84
Topics94,299
Posts638,872
Members49,770
|
Most Online5,661 May 23rd, 2018
|
|
0 members (),
136
guests, and
320
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|