PPPoE connection restores but SIP gets lost

Hi All,

We have two Vyos routers running VyOS 1.4.0-rc3 one connected to VDSL bridged modem and one router connected to a 4G router. When PPPoE connection gets lost it fails over to the other router without any interuptions. When the PPPoE line restores it fails back only SIP phones not able te register to the hosted provider. When i do reset conntrack it instantly restores all phones.

I have no fancy conntrack settings and is all default.

How to make sure my phones are able to register after failover. Can i force something like flush connection when pppoe is back up or whats the best approach here?

Thanks!

Do you use conntrack sync?

Hi Roedie,

Yeah ive seen some documentation about it but would be nice to have an example of basic config for this feature. Currently have no conntrack configured.

Cheers!

There is some basic config at the end here. It should be enough to get everyone going.

https://docs.vyos.io/en/latest/configuration/service/conntrack-sync.html

Applied the givin config but it made it even worse
 Now not only SIP is affected but also ping.

Applied config on both routers:

Blockquote
set service conntrack-sync accept-protocol ‘tcp’
set service conntrack-sync accept-protocol ‘udp’
set service conntrack-sync accept-protocol ‘icmp’
set service conntrack-sync failover-mechanism vrrp sync-group ‘CONNTRACK-SYNCGROUP’
set service conntrack-sync interface eth0.50
set service conntrack-sync mcast-group ‘225.0.0.50’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘DATA-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘DMZ-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘GUEST-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘IOT-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘MNG-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘SERVER-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘VOICE-VRRP’
set high-availability vrrp sync-group CONNTRACK-SYNCGROUP member ‘VPN-VRRP’
Blockquote

I should be quite straightforward. Can your provide a drawing with some info like IP’s? Post some relevant Firewall rules if being used. Is there any other infra involved which might do firewalling?

On a side note, I always used SIP without the helper since the helper always gave me headaches.

1 Like

as long as the phone keeps sending udp5060 packets, the conntrack entry will live on
forever.
On fail-over/failback , flush the table:
set load-balancing wan flush-connections

Iam not using wan loadbalancing feature. I use kernel route failover on the PPPoE Router/Firewall and DHCP default gateway on the 4G Firewall / Router. Then routes are shared between the firewall using OSPF. All the SVI’s are on the Firewalls thus no SVIs are configured on the switches.

Firewall 1
kneqt@CE01:~$ show ip route 8.8.8.8
Routing entry for 0.0.0.0/0
Known via “kernel”, distance 0, metric 1, best
Last update 1d20h47m ago
185.102.44.0, via pppoe0

Routing entry for 0.0.0.0/0
Known via “static”, distance 90, metric 0, tag 210
Last update 5d01h42m ago
directly connected, pppoe0, weight 1

Firewall 2
kneqt@CE02:~$ show ip route 8.8.8.8
Routing entry for 0.0.0.0/0
Known via “ospf”, distance 110, metric 1, best
Last update 1d20h47m ago
10.1.10.2, via eth0.50, weight 1

Routing entry for 0.0.0.0/0
Known via “static”, distance 210, metric 0, tag 210
Last update 01w3d22h ago
192.168.1.1, via eth0.10, weight 1

Hope this helps :slight_smile:

Am I right firewall 1 does the NAT but firewall 2 is behind another NATing device?

Yes sir, that is correct. Unfortunate am not able to put the SIM in the VyOS Firewall. I use external 4G router. This router is only used when primary link fails. When it fails it uses 4G without any interuptions. When failing back to primary we need to register the SIP phones by rebooting them for instance. To solve this we can also reset conntrack on Firewall 1

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.