SUGGESTIONS Juniper SRX setup for remote PiaF

Robert-BCC

Rank amateur
Joined
Jul 21, 2014
Messages
68
Reaction score
13
Topology: 20+ Grandstream 21XX Phones -> Cisco PoE switch -> SRX 100 -> Comcast Business Modem (with static IPs) -> Internet -> Vitelity Hosted PiaF (1 GB RAM)

Problem:
Everything's fine without the Juniper SRX100. With the SRX100 in place, inbound calls fail intermittently with busy signal. Outbound calls work consistently.

Setup:
Comcast modem is configured in “pass-through” mode with NAT disabled.
Juniper SRX has the following security policies enabled:
- outbound policy for all traffic permit source address=any, destination address=any, application=any.
- Inbound policy permits traffic from source=PBX ip address, application=any to destination address=any

Problem Manifestation:
Phone shows that it is registered with the PBX and has an IP address. Outbound calls work. *Usually* inbound calls work after a reboot of the phone, but sometimes several reboots are required before an incoming call is successful. In the Asterisk log the extension seems to arbitrarily go off line. I've seen it happen several times within 60 seconds of a successful call. Vitelity reports: "We received 'CONGESTION' when attempting to route the call to your server or device."

More Info:
Have turned on/off the SIP ALG, still no joy. I have an annotated log file that I can post, but posting logs is discouraged..

Status
BTW, I tried to post the entire (edited) status-output.txt, but "The submitted message is too long to be processed. Please shorten it."


│ Asterisk = ONLINE | Dahdi = N/A * | MySQL = ONLINE │
│ SSH = ONLINE | Apache = ONLINE | Iptables = ONLINE │
│ Fail2ban = ONLINE | Internet = ONLINE | Ip6Tables = ONLINE │
│ Disk Free = ADEQUATE| Mem Free = CHECK | NTPD = N/A * │
│ SendMail = ONLINE | Samba = OFFLINE | Webmin = ONLINE │
│ Ethernet0 = N/A | Ethernet1 = ONLINE | Wlan0 = N/A │
│ │
│ PIAF Installed Version = 2.0.6.5 under *PROXMOX* │
│ FreePBX Version = 2.11.0.38 │
│ 2.11 │
│ Running Asterisk Version = 11.6.0 │
│ Asterisk Source Version = UNKNOWN │
│ Dahdi Source Version = N/A * │
│ Libpri Source Version = UNKNOWN │
│ IP Address = on eth1 │
│ Operating System = CentOS release 6.5 (Final) │
│ Kernel Version = 2.6.32-042stab072.10 - 32 Bit │
└─────────────────────────────────────────────────────────────────────┘
 

MacNix

Guru
Joined
Jun 21, 2011
Messages
198
Reaction score
31
Dunno if it helps, but I had a similar situation with GXP21xx the other day - a remote location setup running off a RentPBX cloud Piaf box...

I run Untangle firewall/routers, and found the issue (for me) was that the phone wasn't getting/giving a valid WAN IP out... It was relying on proper NAT from the router/firewall, which wasn't happening. I fixed that in the Untangle box, and things got a lot happier....

Those GXPs have a switch setting for using STUN - you **might** try it.. I've had mixed results.

I even put rules in passing info destined for the specific phone IPs (I assigned statics to those phones which were giving trouble, so I could target them specifically)...

Additionally, I found the GXPs ALWAYS had to have a hard cycle - - if you do web-GUI updates, then click Update, then "reboot", they'll never get IP properly and never fully connect.. Hands-on, unplug and replug seems to have helped..

hope this helps you
 

atsak

Guru
Joined
Sep 7, 2009
Messages
2,381
Reaction score
436
Because the SRX is a strict policy enforcing firewall, you can't really run multiple phones behind a single IP in my experience. It's unable to open the pinholes for RTP with any consistency, though the ALG is supposed to do that I never got it to work.

There are two or three things you can do to try and work with it.

If you have a JTAC contract on the SRX, open a case and see if they can guide you through getting the SIP ALG to work properly. I hate SIP ALG's, but maybe they can get the magic formula for you. If you do that, please post it here.

You could try doing a multiport VIP (that's an SSG term; I forget what it's called in SRX world) so you configure each phone to use a different sip signalling port and a different set of 8 RTP ports (for 4 calls), and then port forward with a policy to permit only traffic from Vitelity to each phone, and configure FreePBX and Asterisk to listen on the expanded SIP signalling port range (because you will need 20 ports) along with the the RTP range.

Alternatively you can see if you can setup an IPSEC VPN on the PBX (more memory likely needed). There is something called openswan I think that does this but there might be a native option that has a way to accomodate this. I believe the SRX can also do L2TP tunnels which should work as well.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top