SonicWall - VoIP.ms Wiki

SonicWall

From VoIP.ms Wiki

Jump to: navigation, search

Author: James A. Russo jr@halo3.net / Halo3 Consulting, LLC

Synopsis:

When using a SonicWALL and a PBX behind that SonicWALL, some of the inbound SIP connections may get refused because the SonicWALL is quick to timeout the UDP sessions on the firewall. This will result in being unable to register through it or a situation where some incoming calls connect just fine, but then others just a minute or so later would timeout and never connect.

In our configuration we are using a TZ-210 running SonicOS Enhanced 5.8.1.13-1o. However, the same configuration can likely be done on various SonicWALL devices.

We were able to determine what was happening by watching the logs on the Sonicwall where would find dropped UDP packets originating from the VOIP.MS server on port 5060 to our WAN ip address on some various UDP port .

Solution:

The solution will be to add a firewall rule from LAN->WAN which will apply to the Internal LAN PBX IP to the Address group of the VOIP.MS servers. This will be an Allow Firewall rule, but more importantly will define the UDP session timeout to be 500 seconds (vs the normal 30 seconds).

Step 1: Creating the Address Objects

Create the address object for all the various VOIP.MS servers you may connect to. You should list your primary servers and any secondary servers you may connect to. You don’t want to fail over to a secondary server and then have to remember to modify your firewall rules.

These will be on the WAN zone, and should be FQDN objects. We do this so that if the IP address of the voip.ms server should ever change, the rule will still work.

Repeat this for any other VOIP.MS servers you may connect to.


SonicWall.png

















Step 2: Create the Address Group Objects

Create an Address Group Object that will contain all of the addresses you defined in Step 1. This will be the actual object we will use in the firewall rule.

SonicWall2.png


















Step 3: Create Address Object for the PBX which is behind the SonicWALL.

This step is technically optional, as in the firewall rule you could always just apply this firewall rule from ANY host in the network to the VOIP.MS servers. By including this rule, the UDP timeout will only be extended for sessions created from the PBX to the VOIP.MS servers. I am not convinced that this is really necessary or enhances security that much. In our configuration we have one PBX internally behind the SonicWALL. If you have many phones behind the SonicWALL, you may want to just skip this step and specify ANY as the source address in Step 4 below.

SonicWall3.png















Step 4: Create the Firewall Rule

In this step you will create the firewall rule that will allow access from LAN -> WAN and also adjust the specific UDP timeout. This is a redundant rule as there is already a firewall rule that permits LAN -> WAN. However, that rule will include the 30-second UDP timeout that is the actual cause of the problem.

SonicWall4.png





















Once you have setup the rule, click on the Advanced tab and adjust the UDP timeout value to something like 300 seconds ( 5 minutes). This should prevent the SonicWALL from dropping the INVITE sip packets which arrive more than 30 seconds since the last outgoing SIP packet to the VOIP.MS server.

SonicWall5.png
Personal tools
Namespaces
Variants
Actions
VoIP.ms Wiki
Configuration
Guides (English)
Guides (Français)
Guías (Español)
Toolbox