Problems with HA Module, NAT and UDP

I’m having a problem where external users (Zoiper and Yealink Phones) cannot register to a HA setup of FreePBX 13 (Distro 10.13.66-10) with all the latest module and Asterisk 11.

The PBX is sitting in an internal network and all the proper ports (TCP & UDP 5060 + UDP 10000-20000) are forwarded to the floating IP.

This setup is replacing a previous single FreePBX with Asterisk 1.8 which is still alive, if change the port forwarding’s to point to the old FreePBX’s IP then external clients can register to it and calls work fine with audio both ways, so it does not seem to be a firewall problem.

I enabled TCP transport on the SIP Configuration and registration starts working but then the call has one way audio only (outgoing), this leads me to believe the problem is with UDP only. Looking at the firewall logs I can see the connections (TCP & UDP) coming to the public IP and being forwarded to the HA floating IP, but then I notice that the UDP connection from the server to the client is not originated from the floating IP but the IP of the active node, it is allowed and passes through but I think this is what is causing the problem. Maybe the client is rejecting it for that reason?

To test this, I change the port forwarding’s to point to the IP of the active node instead and then all starts working fine, clients can register with both TCP and UDP transport, and calls get audio both ways. This workaround is of course not ideal as it defeats the purpose of having a HA setup, a manual firewall rule change would be necessary when a failover happens…

Do you guys have any idea how can this be fixed? is it normal that the active node sends connections using is real IP vs the floating IP?

Did you follow the HA wiki where it states to go into SIP Settings module and set your floating IP to the bind address?

1 Like

Thanks so much Tony, that fixed the problem!!!

The HA setup page was the only one in the Wiki I did not read in detail as this is a FreePBX HA SMB appliance and HA came per-configured with the IP addressing I provided, I guess whomever set it up missed that little step…

All good now. Thanks!