This has been bothering me for at least a week so I hope there is someone out there that can help.
Here is my setup in order (the IPs have been changed for security reasons):
Asterisk server (most current release) with private IP 10.10.3.3
SonicWALL NSA4500 with public IP 79.86.32.5/24
{Internet}
SonicWALL NSA240 with public IP 79.86.54.7/24
VOIP Phone (Grandstream GXP2000) with private IP 10.10.1.98
Here is the problem–when I first boot the phone everything works fine. I can make calls and receive calls both internally or externally with no problem. Then after about a minute I lose the ability to receive calls. I can still make calls to internal or external phones [from this extension] but all incoming calls to this extension receive the message, “The person at extension 299 is unavailable…”
If I run a “SIP SHOW PEERS” the entry for the phone reads:
Name/username: 299/299
Host: 79.86.54.7
Dyn: D
Nat: N
ACL: A
Port: 8476
Status: UNREACHABLE
I also see something strange in the NSA4500 logs:
Time: 11/12/2010 14:48:12.192
Priority: Notice
Category: Network Access
Message: ICMP packet dropped due to policy
Source: 79.86.54.7,8476,X1
Destination: 10.10.3.3,5060,X3
Notes: ICMP Destination Unreachable, Code: 3
This is the packet detail for the dropped packet:
Ethernet Header
Ether Type: IP(0x800), Src=[00:90:1a:42:e3:4d], Dst=[00:17:c5:19:e6:ed]
IP Packet Header
IP Type: ICMP(0x1), Src=[79.86.54.7], Dst=[79.86.32.5]
ICMP Packet Header
ICMP Type = 3(DESTINATION_UNREACHABLE), ICMP Code = 3(PORT_UNREACHABLE), ICMP Checksum = 4881
Inner IP Packet Decode:
IP Packet Header
IP Type: UDP(0x11), Src=[79.86.32.5], Dst=[10.10.1.98]
UDP Packet Header
Src=[5060], Dst=[8476], Checksum=0x0, Message Length=514 bytes
Application Header
Not Known:
On the NSA240 I have the following:
A firewall rule to allow all inbound traffic from 79.86.32.5 to go to 10.10.1.98.
A firewall rile to allow all outbound traffic from 10.10.1.98.
A NAT rule to translate all inbound traffic from 79.86.32.5 to 10.10.1.98.
On the NSA4500 I have the following:
A firewall rule to allow inbound traffic from 79.86.54.7 on ports 2727, 4569. 5036, 5060 and 1000-2000 to go to 10.10.3.3.
A firewall rile to allow all outbound traffic from 10.10.3.3.
A NAT rule to translate all outbound traffic from 10.10.3.3 to 79.86.32.5.
A NAT rule to translate all inbound traffic from 79.86.32.5 to 10.10.3.3.
The configuration in sip_additional.conf for this extension has the following settings:
[299]
deny=0.0.0.0/0.0.0.0
secret=xxxxxxxxxxxx
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=yes
callgroup=
pickupgroup=
dial=SIP/299
mailbox=299@default
permit=0.0.0.0/0.0.0.0
callerid=device <299>
callcounter=yes
faxdetect=no
Thanks in advance,
Greg