Dual WAN for client site

Hi there,

I was wondering if there was anyone who can help me figure this problem out.

On the client side I have a mikrotik CC1009, with SIP ALG turned off. Extensions are configured to use NAT on the freePBX side and the NAT mode is set to (yes, force_rport, comedia) for all extensions. The freePBX server has only one Public IP assigned to it, and I am happy with that setup.

On the client side, we have two ISP’s, both with static public IP’s. I have configured the fail-over redundancy on the mikrotik and everything works perfectly; when the primary ISP goes down the secondary ISP picks up within seconds.

However, when the primary ISP goes down, phones won’t register using the secondary ISP. I’ve seen the sip debug logs on asterisk and the server keeps sending NAT requests to the primary ISP, and doesn’t switch over to the secondary ISP. Here is the example of what I am talking about:

[2019-10-04 11:06:47] VERBOSE[2578] chan_sip.c: Retransmitting #1 (NAT) to xx.xx.xxx.xxx:1250:
OPTIONS sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP xxx.xxx.xx.xxx:5060;branch=z9hG4bK03f04c57;rport
Max-Forwards: 70
From: “Unknown” sip:[email protected];tag=as5078d144
To: sip:[email protected]:5060
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 OPTIONS
User-Agent: FPBX-13.0.195.22(11.25.3)
Date: Fri, 04 Oct 2019 16:06:46 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

What I’ve tried so far and no luck:
Used SIP ALG and disabled NAT mode on the extension.
Used TCP/TLS for SIP as opposed to UDP.
Turned on keep alive on the phone side.

I am out of ideas, any help would be much appreciated!

I assume that the FreePBX system is in the cloud or at a location different from the failing clients, and on a static public IP address. If not, please explain.

That OPTIONS request doesn’t tell us anything – if the new registration isn’t working (for any reason), Asterisk will continue to send OPTIONS to the old address, until the old registration expires.

Confirm that when things are working normally (no outage), the phone is sending REGISTER requests with a short expiry, e.g. every 120 seconds.

Then, when you fail over, does the Asterisk SIP debug log show REGISTER requests coming in from the new address? If so, what response, if any, is given?

If Asterisk doesn’t see the new REGISTERs, can you see them with tcpdump? If so, the FreePBX firewall is blocking them – confirm that both addresses are properly whitelisted.

If they don’t show in tcpdump, try capturing traffic on the Mikrotik’s secondary WAN interface to confirm that they are being properly set out.

Yes, freepbx is hosted on the cloud and different location from clients, and yes the server has a public IP directly assigned to it.

Yes, just for testing I adjusted one phone’s registration time to every 10 sec.

I don’t see any REGISTER request from the second ISP, they’re all showing from the first ISP, still.
I can confirm that the secondary ISP is whitelisted. And yes, I can confirm that SIP requests are being send out by phones to the server, I did a packet capture with wireshark with a compuer on the same network as phones.

This sounds like a Mikrotik configuration issue or possibly a bug. You can use TZSP to capture traffic on its WAN interfaces and stream directly to Wireshark.
https://wiki.mikrotik.com/wiki/Ethereal/Wireshark

Mikrotik’s SIP “Service Port” is not quite like most "Sip Helpers ( that just don’t work and screw up Asterisk ) " you might want to enable it and see . . .

yes, i did try enabling sip service port and it didn’t help.

cool, i will try to capture the traffic through mikrotik. I tried doing that through winbox tool but I don’t see any saved files on files section. I will try command instead. Thanks for your help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.