atcomsystems.ca/forum Forums TDM Business Telephone Systems Samsung Telephones & Systems Remote Phone problem

What lines do you have?
Are the handsets on the system DGP or IP?

White list seems fine also using mainly DGP one or two onsite IP phones that work fine and they are using ISDN line but the problem happens with internal calls and to VM as well not just external calls, firewall guys are doing a trace for me early next week.

Hey

This is still going on, the Firewall people can see the problem just cant seem to fix it any one had a problem like this before or know a fix below is there response, also put their Nat settings at the end.

In short the firewall is seeing duplicate flows and dropping them due to the way we have NATted the traffic. Attached is how we have configured the firewall for the NATs, this is so calls can be made both outbound from the school and also inbound so you can take a phone anywhere and still get calls

Is the NAT configuration how you would expect it to be configured?, Is there any other way we can design the VOIP system to avoid duplicate flows?



I reviewed the data you uploaded and I found that the problem is related to the NAT design.Flow baisc logs shows that sessions on port 6000 and also on other ports (ex 30018) failed due to be installed because of duplicate flows being detected.

== 2016-11-14 13:44:18.346 +0000 ==
Packet received at slowpath stage
Packet info: len 60 port 16 interface 16 vsys 2
wqe index 161389 packet 0x0x80000004146e88e6
Packet decoded dump:
L2: 00:1e:49:f4:5c:1a->00:1b:17:00:01:10, type 0x0800
IP: 92.234.10.74->195.246.109.113, protocol 17
version 4, ihl 5, tos 0x00, len 42,
id 395, frag_off 0x4000, ttl 50, checksum 44700
UDP: sport 6000, dport 6000, len 22, checksum 26650
Session setup: vsys 2
Allocated new session 89604.
destination translation 195.246.109.113/6000 => 10.16.149.3/6000
DP0 is selected to process this session.
Created session, enqueue to install
Duplicate flows detected while inserting 179209, flow 2471112 with the same key<<<<<<<<<

A session is a combination of two flows, client to server (c2s) and server to client (s2c). As per the above packet two flow needs to be installed.
c2s: 92.234.10.74/6000->195.246.109.113/6000
s2c:10.16.149.3/6000->92.234.10.74/6000

As per the log, the firewall detected that the flow with id 179209 matches an existing flow.The flow with id 179209 is the s2c flow(session*2+1).So basically there is another session with. c2s as 10.16.149.3/6000->92.234.10.74/6000 and a different s2c.
My understanding of the traffic flow is that packet from 10.16.149.3/600 to 92.234.10.74/600 are expected because VoiP calls can be triggered from outside to inside and the other way around.

Traffic from 10.16.149.3/600 to 92.234.10.74/600 is also NATed as per rule Cathedral School Voice Outbound.Hence when the traffic is initiated from 10.16.149.3 the flowing two flows are created.

c2s 10.16.149.3/6000->92.234.10.74/6000
s2c 92.234.10.74/6000->195.246.109.113/X

I reviewed the flow basic logs and the same thing is happening on port 30018.

To make it working you need to change your NAT design in order to avoid that the flow of sessions initiated from outside matches one of the flows of sessions that are initiated from inside.

NAT #1
Source: Internet (Any Address)
Destination: 195.246.109.113
NAT Address: 10.16.149.3
Port:
UDP – 5090
TCP – 5180
UDP – 6000
UDP – 9000 – 9001

NAT #2
Source: Internet (Any Address)
Destination: XXX.XXX.XXX.XXX
NAT Address: 10.16.149.4
Port:
UDP – 30000 – 30032
UDP – 40000 - 40128

NAT #3
Source: Internet (Any Address)
Destination: XX.XXX.XXX.XXX
NAT Address: 10.16.149.5
Port:
TCP – 6000 - 6002
UDP – 30033 - 30035


NAT #4
Source: 10.16.149.3, 10.16.149.4, 10.16.149.5
Destination: Internet (Any Address)
NAT Address: XXX.XXX.XXX.XXX
Port: Any Port

You say

"Attached is how we have configured the firewall for the NATs, this is so calls can be made both outbound from the school and also inbound so you can take a phone anywhere and still get calls"

What do you mean by take a phone anywhere and still get calls?

Are the local ip phones configured with the public ip address of the system?

If so then you have what's called hairpining (or loopback). Some firewalls don't like that/can't handle it. This looks to be your issue from what the firewall guys are saying.

Why do the phones need to be setup like this? Do they take the phones offsite and then bring them back again?

Hi

The phones are configured with the public IP and only used remotely.

I know what you mean when you try to use a phone with a public IP on a your local LAN I have had that before when customers have brought there phone s back in to the office.

But these are just set up like you would expect a remote phone to be.

It almost sounds like the remote site uses the main site for it's internet connection, is there a vpn or something between the sites?

NO I have tried it on a few sites even taken it home and it's the same there also.

Here is a silly question. Do you have the public IP setup in both cards and have it all set to pri w/ public? Just covering all the bases here.

Hi

Yes that's all correct I have sent my DB to Samsung and they have checked it over and it all looks good, I am doing some Wireshark traces tomorrow to send to them.

I have ran into this issue before. Phone works at my office just fine, but when it got to the customers there was no audio. I know this sounds weird but I had to open ports on the remote side of the customers router. I would assign a static internal ip address on the phone and then have to open ports on the remote router to that IP address. Try walking a user through that in another state. For what its worth my problem was with comcast at the remote end.