<div dir="ltr">Speaking in general terms not specific Perimeta and Broadsoft, to this can be addressed at the TCP, TLS, and SIP levels with various methods of keep-alive traffic.<div><br></div><div>TCP keep-alive is an optional feature which only needs to be supported by one peer; the other peer simply ACKs the packet like any other. Check if you can enable this on the server side instead of relying on the endpoint.</div><div><br></div><div>If TLS is an option, that has it's own heartbeat separate from TCP keep-alive.</div><div><br></div><div>At the SIP level, in our experience OPTIONS polling from the server is sufficient to keep a NAT pinhole open over UDP, and should work similarly for TCP. When enough OPTIONS polls time out, we tear down the registration. This isn't foolproof, as calling to the endpoint will be down until it's next successful registration, but has less overhead than constantly processing registrations.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">Regards,<div><br></div><div><p style="font-family:helvetica,arial,sans-serif;font-size:12px;margin:0px;padding:0px 0px 20px;color:rgb(0,0,0)"><strong>Calvin Ellison</strong><br>Voice Services Engineer<br><a href="mailto:calvin.ellison@voxox.com" style="text-decoration:none;color:rgb(14,123,174)" target="_blank">calvin.ellison@voxox.com</a><br>+1 (213) 285-0555<br><br>-----------------------------------------------<br><strong><a href="http://www.voxox.com/" style="text-decoration:none;color:rgb(14,123,174)" target="_blank">voxox.com</a> </strong><br>9276 Scranton Rd, Suite 200<br>San Diego, CA 92121<br></p><img src="http://cdn.voxox.com/img/voxox-logo.png" alt="Voxox" style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium"><br></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Dec 17, 2015 at 11:43 AM, David Sarvai <span dir="ltr"><<a href="mailto:dsarvai@dscicorp.com" target="_blank">dsarvai@dscicorp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Group:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I am trying to complete a conversion from Acme Packet/Oracle SBC to Metaswitch Perimeta SBC. We found late during the cutover process that Polycom/Metaswitch
hasn’t implemented a common TCP strategy to keep firewall TCP sessions/connections alive. Has anyone in the group successfully implemented a TCP strategy and if so, am I missing anything?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">With the ACME topology, all phones do the following regardless of protocol to maintain pinholes through firewalls:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">1 SEC Phone -> Register -> Firewall -> SBC -> Register -> Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">60 SEC Phone -> Register -> Firewall -> SBC<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Polycom: Requires use to frequent SIP registration (maintained by Perimeta) to keep SIP pinholes through firewalls alive.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Metaswtich: Requires TCP clients (Polycom) to maintain pinholes using native TCP keepalive syn/ack messages.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Polycom’s implementation of “TCP keepalives” is only applicable if the phone is using TLS. There is no such setting for non-tls TCP based traffic. So the phone
will establish a TCP connection to the SBC, and then site dormant if no registration/call/subscription messages traverse. The firewall will close its ports, and the phone will lose connectivity.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Metaswitch has a fast-nat feature, which is used to shield switches from UDP based registrations. When enabled, fast-nat modifies the endpoint expire timer to
allow the endpoint to re-register (keeping the firewall session alive). For UDP, this works correctly, and the SBC responds to the endpoint with a 200OK. But for TCP, the SBC passes the re-registration attempt back to the switch.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">TCP Metaswitch Example with fast-nat:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">1 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">60 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">My question to the group, is has anyone implemented TCP based registration using Perimeta and Broadsoft?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Dave<u></u><u></u></span></p>
</div>
</div>
<br>_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
<br></blockquote></div><br></div>