Solved

Juniper SSG20 Not Routing SIP Traffic To Failover Interface

Posted on 2014-09-10
3
456 Views
Last Modified: 2014-11-10
We have an SSG20 with 2 ADSL connections on separate interfaces in the untrusted zone on physical ports 0/0 and 0/1. We have set up interface failover using the track ip monitor on the primary interface so that if the primary line / interface goes down it switches to backup. We have a default route setup for each WAN connection, the primary has a lower preference value so that when it is active all the traffic is routed via this interface.

The failover works perfectly for web traffic and our VPNs but does not switch the SIP traffic and subsequently the VOIP phones go offline. The only way we can get the phones up and running on the backup connection is to reboot the SSG.

We have disabled SIP ALG on the Juniper and have 2 outbound policies to allow SIP (ports 5060 - 5069) and RTP (ports 10000 - 20000)

Any ideas on how to get the VOIP phones to successfully failover to the backup line without having to reboot the Juniper?

Thanks in advance
0
Comment
Question by:H_C_S
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40314715
I have this same problem. What is happening is the VOIP phones are registered to an external provider over one public IP. When that interface goes down I have to power cycle the phone so it can reregister with the SIP provider using the new public IP.

I also have source based NAT enabled on the outbound policy for my VOIP phones in addition to allowing the specific ports
0
 

Author Comment

by:H_C_S
ID: 40315137
Power cycling the phone doesn't make any difference with our setup, we have to power cycle the Juniper to get the phones to automatically re-register whether they are on the primary or failover interface. We have no such problem with the other traffic, http, ftp etc
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40315206
Seems as if the SIP sessions are not timed out / invalidated, which is strange if the interface goes down.
In CLI you can try if   clear session dst-ip ...   (or whatever identifies the sessions) helps after failover. You should also check the physical and logical up status with   get interface eth0/0   (etc.).
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help enabling http access for Cisco ASA - (ET) 20 82
ipsec tunnel comme not up 10 126
Cisco ASA 5505's for VPN study 15 63
Draytek (Site to Site VPN using IPSec) 6 69
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question