VoIP phones and a recommendation to enable Consistent NAT

Hello!

A client's new VoIP phone provider has made some recommendations to ensure good performance, including to enable Consistent NAT. I know that SonicWALL firewalls have that setting, but is there an equivalent for WatchGuard? The client has a T35 running 12.5.7 U3 Fireware.

They also recommended increasing UDP timeout to a minimum of 300 seconds. It was at the default of 30 seconds, so I used the CLI to bump the global UDP timeout to 360 seconds. I did it globally because I do not know how to apply it to a particular policy. If I understand correctly, the "Specify custom idle timeout" setting on a particular policy's Properties tab is only for the TCP timeout, correct?

Gregg Hill

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg,

    UDP timeout is a global setting, 300 seconds (5 minutes) is fine. As a network admin, I'd ask the VoIP provide why my phone needs to reply to a UDP stream that's older than 30 seconds, but they likely won't have an answer for you other than that's their "optimized config"

    The firewall won't allow you to increase the setting beyond 10 minutes total, so I'd suggest leaving it where you set it now and see if that causes any issues. Chances are unless you're running a huge network that could potentially overflow the connection tables that nothing will happen.

    -James Carson
    WatchGuard Customer Support

  • Thank you James!

    Gregg Hill

  • @james.carson said:
    Hi Greg,

    UDP timeout is a global setting, 300 seconds (5 minutes) is fine. As a network admin, I'd ask the VoIP provide why my phone needs to reply to a UDP stream that's older than 30 seconds, but they likely won't have an answer for you other than that's their "optimized config"

    The firewall won't allow you to increase the setting beyond 10 minutes total, so I'd suggest leaving it where you set it now and see if that causes any issues. Chances are unless you're running a huge network that could potentially overflow the connection tables that nothing will happen.

    Sorry to necro a really old thread, but there is a really simple answer to this.
    A SIP phone using UDP registers with the PBX by sending a SIP REGISTER, if this succeeds, the phone then sits still waiting for 1 of 2 things:
    1. the user picks up the handset and starts dialing
    2. the PBX sends a SIP INVITE to signal there is an incoming call

    SIP registrations in the past could easily be 3600 seconds. That means the phone sends the SIP REGISTER and then there is no single outgoing packet of traffic for 3600 seconds until it refreshes the registration.

    As soon as the UDP timeout of the firewall expires, incoming calls become impossible as the phone is no longer reachable from the PBX. To keep incoming calls working, the UDP timeout has to be higher than the register expiration.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MatVlaar
    In the case of the Firebox, the highest Fireware will allow UDP timeout to be is 300 seconds (5 minutes.) If the phone and/or SIP provider is expecting an hour (or the connection to be held open indefinitely) the connection will end if no traffic is sent to keep the connection alive.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.