Juniper SSG20 Not Routing SIP Traffic To Failover Interface

We have an SSG20 with 2 ADSL connections on separate interfaces in the untrusted zone on physical ports 0/0 and 0/1. We have set up interface failover using the track ip monitor on the primary interface so that if the primary line / interface goes down it switches to backup. We have a default route setup for each WAN connection, the primary has a lower preference value so that when it is active all the traffic is routed via this interface.

The failover works perfectly for web traffic and our VPNs but does not switch the SIP traffic and subsequently the VOIP phones go offline. The only way we can get the phones up and running on the backup connection is to reboot the SSG.

We have disabled SIP ALG on the Juniper and have 2 outbound policies to allow SIP (ports 5060 - 5069) and RTP (ports 10000 - 20000)

Any ideas on how to get the VOIP phones to successfully failover to the backup line without having to reboot the Juniper?

Thanks in advance
H_C_SAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
I have this same problem. What is happening is the VOIP phones are registered to an external provider over one public IP. When that interface goes down I have to power cycle the phone so it can reregister with the SIP provider using the new public IP.

I also have source based NAT enabled on the outbound policy for my VOIP phones in addition to allowing the specific ports
0
H_C_SAuthor Commented:
Power cycling the phone doesn't make any difference with our setup, we have to power cycle the Juniper to get the phones to automatically re-register whether they are on the primary or failover interface. We have no such problem with the other traffic, http, ftp etc
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Seems as if the SIP sessions are not timed out / invalidated, which is strange if the interface goes down.
In CLI you can try if   clear session dst-ip ...   (or whatever identifies the sessions) helps after failover. You should also check the physical and logical up status with   get interface eth0/0   (etc.).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.