USG with site to site VPN drop calls after 30 seconds

timeshifter

Well-Known Member
Reaction score
2,249
Location
USA
Losing calls right around 30 seconds every time.

Two sites. Both with UniFi Security Gateways. Primary, original building, has a Ring-u hub which is a repackaged Asterisk system I believe. Phones are Grandstream. Everything in the primary building works fine with that system.

New building is connected via a Site to Site VPN that I set up using the UniFi interface with VPN Type AutoIPsec VTI. Currently have one phone at the new building. It works fine except that calls always drop around the 30 second mark. They can be intercom calls to the primary building or calls to outside numbers.

The phone is a Grandstream GXP1630. We’ve tried using TCP for SIP Transport. Also tried TLC/TCP. Default was UDP. Ring-u suggested to try TCP first as they thought UDP was timing out in the firewall.

On the USG firewall settings, under Settings - Routing & Firewall - Firewall - Settings under CONNTRACK MODULES I have SIP off and H.323 on. This is how it was set, have not changed anything there.

I tried setting STATE TIMOUTS, UDP Other from 30 seconds to 28,800 but that didn’t seem to matter.

The Ring-u folks have been helpful, but I’d like to see if anyone here has any insights before I go back to them.

Thanks in advance!
 
Is everything being routed from the remote site or is it split dns?
Have you run a continuous ping in both directions?
I've never used Unifi for site to site with VoIP. The one time I had site to site with voip was a huge mess. Started with Fortigate but could not keep a reliable connection. After discussion with the VoIP vendor, switched to Cisco/Linksys which worked out just fine.
I'd check with Unifi to see if you have everything turned off that should be. Every time I've run into SIP "helpers" theres nothing but problems. Is the uplink at each site good enough, as in at least 15mb+
If the site isn't that complicated I'd try whipping up a couple of Untangle boxes using a couple of old pc's
 
I have run continuous pings when building and testing the connection, but not as a test of their own. But I'm pretty sure it's stable in that way. They also use the VPN connection for file shares.
Every time I've run into SIP "helpers" theres nothing but problems.
Where would these helpers reside? In the phone? In the USG?

I believe the connections at both locations, which are within a mile or so of each other, have 200/10 Internet from the same cable provider. There's presently only one phone at the second / new location.
 
Those "helpers" are rules/apps on routers.

Forgot to ask earlier, I'm guessing you can access the VoIP server from the remote location and everything else works fine like file sharing? I'd start by setting up the firewall allowing all ports through, disable anything else you did related to VoIP. In other words just a stock USG. I've never used the AutoIPSEC, just manual. Maybe give that a try. Another thought. Do you have the PBX configured to allow remote subnet?
 
The helpers are usually called "SIP/ALG Helper" on most firewalls, you stated they're already off (under the conntrack section). If on, they usually do more damage than good. But worth a quick test in this case.

How large a network on each end?
VoIP in a separate VLAN?

As much as I love Unifi hardware, I only use their gateways for the most basic of setups.....and if client needs a VPN of any sort...Unifi is out of the game, Untangle is in the game. Not fond of Unifi's VPN...be it remote/road warrior, or site to site.
 
can access the VoIP server from the remote location and everything else works fine like file sharing?
Yes
I'd start by setting up the firewall allowing all ports through
I had considered that, but I'm weary I might be opening up everything on the WAN side of things. I presume the firewall rules will be just for the VPN interface. I'll give that another look.
disable anything else you did related to VoIP. In other words just a stock USG.
Pretty much what I've got. Only changed a timeout I think then changed it back. Then I tried setting the sites up using OpenVPN but that didn't work, pretty sure I did it wrong - both sides can't both be OpenVPN servers / clients. In fact, the USGs got stuck at Provisioning when I did that configuration. So I'm back to where I started.

As I mentioned, SIP is turned off under CONNTRACK but H.323 is on. Lots of recommendations to turn off H.323 out there, haven't tried that yet.
Do you have the PBX configured to allow remote subnet?
Don't know, but I'll look into that. Guess I was counting on the guys at Ring-u to have thought about that. Been working with them quite a bit on this issue.
How large a network on each end?
VoIP in a separate VLAN?
About 50 total devices on primary network where the PBX lives. Maybe 10 total devices at the new location. No VLAN.
 
I wonder if VLAN'ing the VoIP system may be worth a shot....cut down on chatter/broadcasts/traffic clogging up things for the VoIP.
Every client we have, we configured VoIP VLAN (#2) on the switches. No matter how small, it's just our standard practice. Enable LLDP-MED, and we create a VLAN for the VoIP. And in Unifi, I create switch port profiles for:
*Converged Data and Voice...this has POE on, to uplink to the phones which often also pass through to the PC
*Facing EdgeWater/PBX...no POE, usually untagging VLAN2 but depending on provider sometimes I'll have it converged to VLAN2 is tagged.
*Sometimes an untagged vlan port with not POE for facing oddball devices alike ATAs.
 
I turned off H.323 for both sites and waited about 40 minutes before testing a call. Nope.
 
Original location is 192.168.111.0. New location is 192.168.112.0. Thinking about testing this…

Turn off VPN.
Create new subnet or expand its scope so that 192.168.111.0 and 192.168.112.0 are local to the original location
Drive the phone over to the original location and plug it in and test.
 
Original location is 192.168.111.0. New location is 192.168.112.0. Thinking about testing this…

Turn off VPN.
Create new subnet or expand its scope so that 192.168.111.0 and 192.168.112.0 are local to the original location
Drive the phone over to the original location and plug it in and test.
The problem you are experiencing makes me think that it's related to the tunnel and settings. Doing the VPN tunnel automagically takes care of the traffic between two subnets. In theory what you're talking would be a test but still would be valid. One thing I'd try is make the remote something totally different. Like try 172.16.10.x. And make sure the remote subnet is allowed on the PBX firewall.
 
Might need to start doing some packet captures on both sides to see what exactly is happening.
 
I've got those two phones arriving at my house tomorrow. I'm going to experiment a bit. I install FreePBX but it looks a little more daunting than I imagined.
 
Grandstream phones have a PCAP function built in. You should be able to grab the admin credentials of the phone at the remote location from the PBX unless they leave it default admin/admin. Start the pcap on the phone then make a test call. Once the test call is completed, download the PCAP and open it with wireshark.

Under the telephony menu it will automatically build the voip streams and you should be able to see the request to end the connection.

Also when the calls drop is it a call being terminated or just audio going away but the call seems to stay connected?

I can do a test with my phone and post screenshots if you want. I’m posting from my cell phone now not near my stuff.
 
Grandstream phones have a PCAP function built in.
As I mentioned I bought a couple of GXP1630 phones to test. I've got them set up on my LAN at home with a 3CX PBX (FreePBX turned out to be way too complicated, never got the phones setup on it). Anyway, I was able to make an extension to extension call and capture it using PCAP and opened the results in Wireshark.

The raw capture was about 1930 packets. I clicked Telephony from the Wireshark menu and chose VoIP Call. It gave me a one line summary of the call and the STATE column said completed. Is that where I'll find the info we're looking for on the customer's system?
 
As I mentioned I bought a couple of GXP1630 phones to test. I've got them set up on my LAN at home with a 3CX PBX (FreePBX turned out to be way too complicated, never got the phones setup on it). Anyway, I was able to make an extension to extension call and capture it using PCAP and opened the results in Wireshark.

The raw capture was about 1930 packets. I clicked Telephony from the Wireshark menu and chose VoIP Call. It gave me a one line summary of the call and the STATE column said completed. Is that where I'll find the info we're looking for on the customer's system?
I think his point was to do this on a phone at the remote location to see what information could be gleaned from the logs.
 
I get that I need to do it on the customer system. I was just trying it at home to get familiar with the process before testing it on their system. Also wanted to know what a good call looks like.
 
I get that I need to do it on the customer system. I was just trying it at home to get familiar with the process before testing it on their system. Also wanted to know what a good call looks like.
Is your 3CX a fully functional system? I’ll grab a screenshot of a good call tomorrow for you.

It should be several lines deep probably 7-10 and it’ll show you each stage of the call.
 
Back
Top