asterisk users - Oct 2008 - Sonicwall potentially causing long ping times to SIP phones

Hi,
I'm having an issue where some phones behind a sonicwall are
auto-congesting.
The status on "sip show peer" shows ping times anywhere from 80ms all
the way up to 1100ms.
PCs behind the same firewall have a ping time of about 30ms to the PBX itself.

Does anyone know if the sonicwall is inserting delay into the SIP
signaling path and lagging the OPTIONS messages for qualify?

Thanks.

-- James

Sonicwalls from the TZ line and before line do seem to have a number of
issues with VoIP.  

Jeff Johnson
Director of Operations
NeturallySpeaking, LLC
sip://jjohnson at neturallyspeaking.com
http://www.neturallyspeaking.com


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of James
Lamanna
Sent: Wednesday, October 22, 2008 2:35 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Sonicwall potentially causing long ping times
toSIP phones

Hi,
I'm having an issue where some phones behind a sonicwall are
auto-congesting.
The status on "sip show peer" shows ping times anywhere from 80ms all
the way up to 1100ms.
PCs behind the same firewall have a ping time of about 30ms to the PBX
itself.

Does anyone know if the sonicwall is inserting delay into the SIP
signaling path and lagging the OPTIONS messages for qualify?

Thanks.

-- James

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.173 / Virus Database: 270.8.2/1737 - Release Date:
10/21/2008 9:10 AM


This email and any attached files are confidential and intended solely for the
intended recipient(s). If you are not the named recipient you should not read,
distribute, copy or alter this email. Any views or opinions expressed in this
email are those of the author and do not represent those of the  company.
Warning: Although precautions have been taken to make sure no viruses are
present in this email, the company cannot accept responsibility for any loss or
damage that arise from the use of this email or attachments.

I had weird issues when using a Sonicwall, gave up. Stuck in linksys running
dd-wrt firmware running on a separate VLAN... no issues since

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of James Lamanna
Sent: Wednesday, October 22, 2008 12:35 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Sonicwall potentially causing long ping times
toSIP phones

Hi,
I'm having an issue where some phones behind a sonicwall are
auto-congesting.
The status on "sip show peer" shows ping times anywhere from 80ms all
the way up to 1100ms.
PCs behind the same firewall have a ping time of about 30ms to the PBX
itself.

Does anyone know if the sonicwall is inserting delay into the SIP
signaling path and lagging the OPTIONS messages for qualify?

Thanks.

-- James

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Craig Van Ham wrote:
> I had weird issues when using a Sonicwall, gave up.
Same here, avoid them! I use the SnapGear SG560 now.

- Mike

Sorry for asking the obvious question, but are there other elements of 
the slow path besides the Sonicwall? I mean, what is "in front" of the
Sonicwall? Also, might the Sonicwall be positioned as some kind of choke 
point in the topology, thus leading to genuine sporadic congestion?

James Lamanna wrote:
> Date: Wed, 22 Oct 2008 11:35:12 -0700
> From: "James Lamanna" <jlamanna at gmail.com>
> Subject: [asterisk-users] Sonicwall potentially causing long ping
> 	times to	SIP phones
> Hi,
> I'm having an issue where some phones behind a sonicwall are
auto-congesting.
> The status on "sip show peer" shows ping times anywhere from 80ms
all
> the way up to 1100ms.
> PCs behind the same firewall have a ping time of about 30ms to the PBX
itself.
>
> Does anyone know if the sonicwall is inserting delay into the SIP
> signaling path and lagging the OPTIONS messages for qualify?
>
> Thanks.
>
> -- James
>
>
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3234 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20081023/22d58cc3/attachment.bin

Bill Michaelson wrote:
> Sorry for asking the obvious question, but are there other elements of
> the slow path besides the Sonicwall? I mean, what is "in front"
of the
> Sonicwall? Also, might the Sonicwall be positioned as some kind of choke
> point in the topology, thus leading to genuine sporadic congestion?
>
The device in front of the SonicWall is a Cisco Router.
Ping times to the ethernet interface of the router are good (~10ms).
Also, having a user behind the SonicWall ping the PBX results in an
average 20-30ms ping time.
So it seems as though the lag is specific to SIP signaling
(specifically the OPTIONS requests that asterisk qualify sends out).

Unfortunately I can't really ask the client to dump their SonicWall
(which we do not manage).
On the SonicWall, I know it is configured for "Consistent NAT" and
"SIP Transformations" are disabled.

-- James
>On Wed, Oct 22, 2008 at 11:35 AM, James Lamanna <jlamanna at
gmail.com> wrote:
>> Hi,
>> I'm having an issue where some phones behind a sonicwall are
auto-congesting.
>> The status on "sip show peer" shows ping times anywhere from
80ms all
>> the way up to 1100ms.
>> PCs behind the same firewall have a ping time of about 30ms to the PBX
itself.
>>
>> Does anyone know if the sonicwall is inserting delay into the SIP
>> signaling path and lagging the OPTIONS messages for qualify?
>>
>> Thanks.
>>
>> -- James
>>

Kristian Kielhofner wrote:
> On 10/23/08, Bruce Komito <brucek at bagel.com> wrote:
>   
>> > We've had LOTS of problems with Sonicwalls doing bad things to
SIP and RTP
>> >  connections.  I've seen the delay thing, as well as the
Sonicwall throwing
>> >  away entries from the ARP table because of inactivity.  I've
also seen
>> >  sporadic, intermittent problems with transfer from one phone to
another.
>> >  I have no doubt that a new, properly configured Sonicwall can be
made to
>> >  function properly in a VoIP environment, but we are not Sonicwall
experts,
>> >  nor are many of the purported experts.  In every case where
we've had
>> >  problems with VoIP behind a Sonicwall, the problems ALL disappear
when we
>> >  put the phones on a LAN segment that does not pass through the
Sonicwall.
>> >  So, now that's our going in position.  If it works, great,
but if it
>> >  doesn't, our solution is to take the Sonicwall out of the
picture.
>> >
>> >  My $.02 .
>> >
>> >  Bruce Komito
>> >  WPTI Telecom
>> >  (775) 236-5815
>> >
>>     
> I wouldn't single out SonicWalls when it comes to breaking SIP 
> traffic. Most of the "anything but simple PAT" devices I've
seen that
> implement any SIP specific fixups usually end up breaking something 
> along the line. Unless the product is from a company where SIP is 
> their core competency (like Ingate, or /maybe/ Cisco) it's best to 
> stay away and/or disable the SIP specific fixups wherever possible. 
> I'm looking forward to the day when SIP-TLS is the norm and these 
> devices have no idea what kind of traffic is flowing through them!
> -
I sympathize, especially since a client of mine is facing the same 
situation. A potential update to their configuration involves exactly 
what you (Kristian) suggest: layering TLS in-between. I've run SIP/RTP 
and IAX over openVPN without issue routinely. What worries me is that 
the problem is not related to SIP awareness, and that some erratic 
performance by the Sonicwall that is benign in most circumstances 
manifests as a quality issue when carrying media streams. Seems 
unlikely, but does anybody have any clarity on this?

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20081024/7aba25a4/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3234 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20081024/7aba25a4/attachment.bin

[This email is either empty or too large to be displayed at this time]