This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Avaya IP Office 500

I'm having some problems getting an Avaya IP Office 500 phone system to work properly over SIP  when behind a Sophos UTM. I am currently working with an IT partner to implement a SG125 running version 9.3. Our telco is Gamma.

We currently use a Draytek 2860. Currently ports 5060-5061 and then the SIP port range is forwarded to the IP Office Switch static IP. We have found that enabling STUN causes a situation where the phone rings, the user picks the phone up but there is a severe delay of up to 1 minute before the call connects and speech can be heard. We have disabled Draytek's SIP ALG..

Our NAT rules look like the following screenshot. I first enabled 16-20 which was a total failure. I couldn't even get a line out.

We then tried creating a new broader rule (number 15) and found that we were getting a situation similar to the Draytek described above. In addition, on my test calls, I wasn't able to hear speech from the other end.

The only thing I have not tried is the SIP helper on the UTM.

Can anybody with experience with using a Sophos UTM and Avaya IP Office suggest where the rules aren't configured right?



This thread was automatically locked due to age.
  • I haven't done this, but I do have an observation...

    It appears that 15 & 16 should have "Internet IPv4" as the source rather than "Any." Using "Any" can cause routing problems if the FQDN resolves in your LAN to "WAN12 [WAN - Phone system] (Address)" instead of to "IP Office Switch."

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for your input Bob. We are preparing to do a test this time with the following settings:

    Where "Gamma" refers to their IP range on 88.215.63.0/24.

  • Did you get this working with the IP Office, and if so what were the settings on the SNAT / DNAT that worked. Am facing the same problem with BTNET. Everything appears to be working, but we are losing voice in one direction during the call.

  • We did indeed. See the image I posted. The port definitions are built in othre than the STUN/T ports.

    Your incoming voice drop issue could also be caused by IPS flood prevention so make sure you also create a rule to except the SIP traffic if you have IPS configured.

  • Hi,

    I had missed the IPS rules, so think that is where the problem might have been. Have put them in so will see if that sorts it.

    I was working with just firewall rule 1, but have now included 2,3,4

    We are using BT for the SIP, so it is a single registration between the IP Office and the BT SIP Gateway, and for the most part was working fine. The fact that not all calls lost one way voice was the strange bit. Having seen your configuration has made it a bit clearer (or at least given me somewhere to start from), so thanks for posting.

  • We had the same issue and it was IPS. The noisier the audio the higher the probability it would drop out one way. I noted flood protection was triggered between the PBX and SIP gateway in the log.

  • I'm looking for help with our new IP Office system but need to take a step back from NAT/port forwarding etc.  Does anyone have information on how they got the IPO set up with Sophos UTM in the first place? We were to have BT come in to install a line but they've let us down at the last minute and so now at the last minute we need to route SIP over our existing leased line, via our UTM.  I'm not sure how to go about connecting the IPO to our network and route SIP though the UTM.

     

    Any help gratefully received.

    Thanks,

     

    Michael

  • You simply have to tell the IPO how to route traffic, so in our case we have SIP going out of LAN2, with the route to our SIP provider

    So out phones are connected to the 172.19.20.0/24 network, and the UTM has an interface with address 172.19.20.254

    Once it can route our then the rest is about configuring the UTM, all covered previously in the thread.

    You don't have to have 2 LANS on the IPO, I just do to keep management and voice separated, but either way you have to add the route to the correct LAN you are using.

    If that is all you need and you already have SIP registration configured, it should be fine.

    We use BT for SIP and get there via BTNET.

    If you need more specific information from our IPO then happy to share. there are only a few must do's if using BT.

    Nick

     

     

  • Hi Nick,

    Thanks for your reply.  We've set up our phones to be on VLAN 120 and they correctly get an IP from our DHCP server (192.168.120.0/25).  The the IPO has LAN connected on the same VLAN with an IP of 192.168.120.2.  This connects to our UTM via the normal LAN.  My plan was then to configure eth2 on our UTM and connect this to the LAN2 port on the IPO.  Our SIP is coming from Gamma.  Would this be the correct approach?

     

    Thanks,

    Michael

  • Hi,

    If you already have the phones setup on a separate VLAN (which you appear to have), and you can already see the UTM from the IPO, then it is just a question of adding a route on the IPO to tell it how to get to the Gamma SIP registration server. For that the WAN port is recommended.

    So adding second VLAN using LAN2 on the IPO, and connecting to UMT as it's gateway should be the way to go. Be sure to add QOS and intrusion exception rules to this network.

    As you will end up with SIP traffic going over the UTM to both VLAN 120, and your new LAN2 Vlan, correct rules must be in place to allow.

    I can't qualify it as "the correct approach", but it has worked for me.

    Nick