[VoiceOps] Perimeta SBC & TCP
David Sarvai
dsarvai at dscicorp.com
Thu Dec 17 14:43:57 EST 2015
Group:
I am trying to complete a conversion from Acme Packet/Oracle SBC to Metaswitch Perimeta SBC. We found late during the cutover process that Polycom/Metaswitch hasn’t implemented a common TCP strategy to keep firewall TCP sessions/connections alive. Has anyone in the group successfully implemented a TCP strategy and if so, am I missing anything?
With the ACME topology, all phones do the following regardless of protocol to maintain pinholes through firewalls:
1 SEC Phone -> Register -> Firewall -> SBC -> Register -> Broadsoft
1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
60 SEC Phone -> Register -> Firewall -> SBC
60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC
Polycom: Requires use to frequent SIP registration (maintained by Perimeta) to keep SIP pinholes through firewalls alive.
Metaswtich: Requires TCP clients (Polycom) to maintain pinholes using native TCP keepalive syn/ack messages.
Polycom’s implementation of “TCP keepalives” is only applicable if the phone is using TLS. There is no such setting for non-tls TCP based traffic. So the phone will establish a TCP connection to the SBC, and then site dormant if no registration/call/subscription messages traverse. The firewall will close its ports, and the phone will lose connectivity.
Metaswitch has a fast-nat feature, which is used to shield switches from UDP based registrations. When enabled, fast-nat modifies the endpoint expire timer to allow the endpoint to re-register (keeping the firewall session alive). For UDP, this works correctly, and the SBC responds to the endpoint with a 200OK. But for TCP, the SBC passes the re-registration attempt back to the switch.
TCP Metaswitch Example with fast-nat:
1 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft
1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
60 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft
60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
My question to the group, is has anyone implemented TCP based registration using Perimeta and Broadsoft?
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151217/8c31753a/attachment.html>
More information about the VoiceOps
mailing list