Phones over IPSec Tunnel

Hey all - We are testing FreePBX and have some phones on a remote site from our PBX. Remote site is connected via IPSec tunnel. The tunnel runs through Azure, with UniFi UDMP’s at each site and RRAS boxes behind them.

The tunnel connection is SOLID and has been for years.

However, when testing FreePBX, we have noticed that over time, some of these phones on the remote site will become unregistered. Sometimes rebooting them brings them back online, sometimes it requires factory reset of the phones.

What could the factory reset of the device do that the reboot could not? Neither the templates on EPM, nor the IPs of anything are changing. I find it baffling.

Also, any thoughts on how to keep the extensions registered longer?

Is this where SIP Keep Alive comes in?

Edited to add - The phones are both Digit D65s and Polycom VVX601s.

Two common situations:

The device source port changed (caused by NAT or the device itself) and pjsip rejected what it thought was a different device. See

If you see such errors in the Asterisk log, try setting Max Contacts for the extension to e.g. 4.

A ‘poisoned’ NAT association is kept alive by aggressive retries. If you suspect this (the registration requests no longer arrive at the PBX), try unplugging an affected device for 10 minutes, then reconnecting it. Setting a long registration retry time in the device will usually allow it to recover automatically.

If neither of the above applies, see what is logged by Asterisk when the phone attempts to register. If nothing, see what appears in sngrep. If also nothing, capture traffic from the remote device to see whether its REGISTER requests are being sent properly. You may find How do I do a Remote Packet Capture for Polycom VVX Phones? useful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.