Troubleshooting: Issues with an Asterisk Installation with SIP Trunk behind a Sonicwall TZ100 Router.

Troubleshooting: Issues with an Asterisk Installation with SIP Trunk behind a Sonicwall TZ100 Router.

The problem usually is the one-way communication router through one trunk or another related issue.To solve the issue there are the general rules:

1. Set the UDP timeout to 90 sec or more.

2. Do not use SIP transformations (Voip section) and modify the NAT behaviour.

3. Forward all the necessary ports to PBX in LAN.


How to Configure the Sonicwall TZ100.

1. Click on Firewall Settings

2. Click on Advance

3. Modify the field “Default UDP Connections Timeout (seconds)”.



All the UDP connections related to new rules added to Sonicwall will have this value.

4. Click on Firewall

5. Click on  “Access Rules”, then LAN>WAN, then Edit. 

6. Modify the field “Default UDP Connections Timeout (seconds)” in the rule LAN->WAN.


 


Note: All the UDP connections related to outbound traffic will be treated by the Sonicwall with this value.

7. Click on Voip, then Settings.

8. Check the flag “Enable Consistent NAT” e uncheck the flag “Enable SIP Transformations”.



Address translation (NAT) involves rewriting the source port before send the packet in WAN, so that the NAT device can keep track of connections: for reliable two-way communications, the same re-writing must always be used. For example  say your internal Asterisk server sends a registration message using source and destination ports of 5060/UDP to your SIP trunk provider’s server on the other side of the NAT device: the NAT software inside Sonicwall will rewrite the source port to some random unused port number, like 14001/UDP. The provider’s server will note your source port, so that it can contact your server if a call comes in (receiving call): if you want to receive calls from the provider, you must ensure that the 14001 port must be associated with the 5060/UDP port on your internal Asterisk server. In Sonicwall to have this behavior you have to set the flag “Enable consistent NAT”.

The protocol used from Asterisk in SIP is UDP, that is connectionless, so the connection between the two ports (5060-14001) will be kept a certain time, because there is no way to know if the connection is terminated or not. For this reason the association will be maintained until a timeout: the default in Soniwall in 30s, less than the Asterisk default SIP registration refresh period of 60 seconds! We had increased this value more than the registration refresh period (90s).

Note: It is possible to change the Asterisk registration refresh period too, but I prefer this solution (change the configuration of Sonicwall).

All these changes are sufficient more often than not: for the unfortunate cases, then you need to directly forward all the ports used by the SIP flow communication directly from WAN to the PBX.

In the next we will redirect all the all the necessary ports to the PBX (5060/UDP and the range from 10000/UDP to 20000/UDP).

Firewall -> Service Objects

Create two new Custom Service Objects: PbxSipSegn & PbxSipStreamVoce.



Create one new Custom Service Group, and link the 2 Service Objects created before.


Firewall -> Address Objects.

Create one new Custom Address Objects using the LAN IP of the PBX (in my case 172.18.49.200).



Firewall -> Address Rules

After creating the necessary objects now let’s change the firewall rules: add a new rule WAN->LAN.



Network -> NAT Policies

The last step: we have to create the NAT policy.



Change the parameters in Asterisk: you must edit the sip_nat.conf file.

Externip = <External ip address>

localnet = <Network address of the LAN network/Subnet Mask>

In the trunk conf you must add the next parameter.

nat = yes



    • Related Articles

    • Troubleshooting Guide

      Introduction This guide has been created to help with the troubleshooting process and to ensure the most common issues/checks have been addressed. Troubleshooting - Phones/Vibe/Networking Checklist for Phones Is the phone connected to the correct ...
    • Troubleshooting: Phones/Vibe/Networking

      Checklist for Phones Is the phone connected to the correct port (Internet port on Yealink desk phones)? Has a different network cable been tried? Has a different power supply of a working phone been tried? Is the phone on the correct network? (DHCP/ ...
    • Troubleshooting: Sonicwall Firewall Blocking Inbound Dialling and Extension Status.

      http://www.informaticapressapochista.com/asterisk/asterisk-with-sonicwall/
    • Troubleshooting: Downloads and Tool issues in TMS

      Euphoria Advanced Softphone How to Authenticate the Euphoria Advanced Softphone or Agent Manager. The Euphoria Agent Manager/Softphone app makes use of the tms.euphoria.co.za and api.euphoria.co.za to authenticate. These destinations should be ...
    • Troubleshooting: Calls Dropping using a Mikrotik OS. (Router)

      We have seen a SIP helper cause occasional dropped calls when using a Mikrotik Router without ViBE. Go to Firewall Settings. Go to Service Ports. Ensure sip on port 5060 and 5061 option is disabled. When you mouse rolls over it, it will give you the ...