asterisk users - Mar 2010 - Cisco 7960 become UNREACHABLE behind pix firewall

Hi,
I have about 10 Cisco 7960s behind a PIX 506E (IOS v6.3) firewall.
After some period of time, asterisk says that some of them are
unreachable, and the phones lose their registration.
The only way to make the phones recover is to clear the NAT
translation tables for the phones on the PIX (clear xlate...)
Does anyone know how to fix this? As you can imagine, it is quite
annoying. And it does not happen to all the phones either.

sip fixup is enabled on the PIX

phone config parts:

nat_enable : 1
nat_received_processing : 0
nat_address: [public ip of PIX]

Thank you.

-- James
(Please CC me on all replies)

From: http://www.voip-info.org/wiki/view/Asterisk+sip+qualify
"If you turn on *qualify* in the configuration of a SIP device in
sip.conf<http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf>,
Asterisk will send a SIP
OPTIONS<http://www.voip-info.org/wiki/view/SIP+method+options>command
regularly to check that the device is still online. If the device
does not answer within the configured (or default) period (in ms) Asterisk
considers the device off-line for future calls. This status can be checked
by the SIPPEER
function<http://www.voip-info.org/wiki/view/Asterisk+func+sippeer>,
and inversely this function will only provide status information for peers
which have *qualify=yes*."
My guess is that your Nat/firewall is closing the connection after some time
the phone is idle, so this way Asterisk will make sure to always have
communication going trhough that connection so your NAT/firewall won't just
close it.

try playing with qualifyfreq as well.

Let us know if it helped.

Alyed



2010/3/27 James Lamanna <jlamanna at gmail.com>
> Hi,
> I have about 10 Cisco 7960s behind a PIX 506E (IOS v6.3) firewall.
> After some period of time, asterisk says that some of them are
> unreachable, and the phones lose their registration.
> The only way to make the phones recover is to clear the NAT
> translation tables for the phones on the PIX (clear xlate...)
> Does anyone know how to fix this? As you can imagine, it is quite
> annoying. And it does not happen to all the phones either.
>
> sip fixup is enabled on the PIX
>
> phone config parts:
>
> nat_enable : 1
> nat_received_processing : 0
> nat_address: [public ip of PIX]
>
> Thank you.
>
> -- James
> (Please CC me on all replies)
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100327/887da640/attachment.htm

Alyed wrote:
> From: http://www.voip-info.org/wiki/view/Asterisk+sip+qualify
> "If you turn on *qualify* in the configuration of a SIP device in
>
sip.conf<http://www.voip-info.org/wiki/view/Asterisk+config+sip.conf>,
> asterisk will send a SIP
> OPTIONS<http://www.voip-info.org/wiki/view/SIP+method+options>command
> regularly to check that the device is still online. If the device
> does not answer within the configured (or default) period (in ms) Asterisk
> considers the device off-line for future calls. This status can be checked
> by the SIPPEER
function<http://www.voip-info.org/wiki/view/Asterisk+func+sippeer>,
> and inversely this function will only provide status information for peers
> which have *qualify=yes*."
> My guess is that your Nat/firewall is closing the connection after some
time
> the phone is idle, so this way Asterisk will make sure to always have
> communication going trhough that connection so your NAT/firewall won't
just
> close it.
Sorry, should have mentioned that all these phones have qualify=yes
and nat=yes in sip.conf.

Thanks.

-- James
> On Sat, Mar 27, 2010 at 8:17 AM, James Lamanna <jlamanna at
gmail.com> wrote:
>> Hi,
>> I have about 10 Cisco 7960s behind a PIX 506E (IOS v6.3) firewall.
>> After some period of time, asterisk says that some of them are
>> unreachable, and the phones lose their registration.
>> The only way to make the phones recover is to clear the NAT
>> translation tables for the phones on the PIX (clear xlate...)
>> Does anyone know how to fix this? As you can imagine, it is quite
>> annoying. And it does not happen to all the phones either.
>>
>> sip fixup is enabled on the PIX
>>
>> phone config parts:
>>
>> nat_enable : 1
>> nat_received_processing : 0
>> nat_address: [public ip of PIX]

>
> I have about 10 Cisco 7960s behind a PIX 506E (IOS v6.3) firewall.
> After some period of time, asterisk says that some of them are
> unreachable, and the phones lose their registration.
> The only way to make the phones recover is to clear the NAT
> translation tables for the phones on the PIX (clear xlate...)
> Does anyone know how to fix this? As you can imagine, it is quite
> annoying. And it does not happen to all the phones either.
>
> sip fixup is enabled on the PIX
>
Are you able to TFTP new phone configs?  Assuming so, and it's for only 10
phones, try decreasing the registration time.  I've got a 7960 on my desk
and documented it with a TFTP-ready config:
    http://help.cloudvox.com/faqs/sip-phones/cisco-7900-ip-phone

It's at the end, commented out.  I don't think that config's been
used much
- most Cloudvox folks are just using SIP to test their AGI apps, not as
primary phones.

If you want another data point that still crosses your NAT boundary, feel
free to sign up for and register with Cloudvox and see whether your
registration lasts, using that same config.  We switched to pay-as-you-go
pricing, so even the free accounts include SIP.  If your registrations to
Cloudvox also time out, it's probably the PIX.

Troy

-- 
Cloudvox  --  http://cloudvox.com/
"Asterisk in the cloud"  --  AGI, HTTP/JSON, SIP, REST, live in
minutes
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100328/e823421b/attachment.htm

On Mon, Mar 29, 2010 at 12:25 AM, Troy Davis <troy at yort.com> wrote:
>
>> sip fixup is enabled on the PIX
>>
>
>
Try disabling the sip fixup on the PIX and see if that helps.  You may have
to adjust the configs on the phones themselves when you do this.

-- 
Thanks,
--Warren Selby
http://www.selbytech.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100329/8d15c807/attachment.htm