We have actively been configuring SDWan on our firewalls and it works great for general web surfing. The issue we are running into is with our phones connecting to our cloud phone provider.
Initially, SDWan was configured for all traffic to use the link with the best quality. Overall, this worked well, but we'd frequently get tickets indicating the phones would ring, but have no audio. I'd log in, check which interface was marked as the preferred Interface in SDWan, then check the active sessions from our voice VLAN and find the sessions established on the least preferred interface.
My guess is, the control session remains connected over the least preferred interface, but new RTP sessions are egressing the preferred interface and not setting up with our provider. I added an SDWan rule specifically for voice traffic using the primary interface only, and this greatly reduced the issue.
Today, our primary circuit dropped at a site and a lower SDWan rule allowed the control session to be re-established over the backup circuit, but when the primary circuit came back online, the audio issue started again.
Is there a way I can configure my voice SDWan rule so that once a session from a phone IP is established on a given egress interface, that all subsequent connections also use that interface?
Denny
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You probably want to set "set snat-route-change enable". This will cause sessions that are Source NATted to be cleared and re-established when a routing change occurs. In your case this means the SIP control session will get cleared when the preferred SD-WAN member becomes available and will be re-established on that link.
By default sessions that use SNAT will not get cleared when a routing change occurs...
Hi Graham,
Thank you for the response. Does this work with SDWan, where routing decision are based on "best quality" and not necessarily an outage?
Yes it will. A policy route change (what SD-WAN uses) is still a routing change.
Hi Graham,
You suggestion worked great for the voice traffic issue, but it wreaked havoc with other applications. Our locations connect to hosted RDGateway applications and each time SDWan made a routing change with this setting enabled, our users would get disconnected from the sessions. This would happen multiple times a day.
What I need is for something like an RTP session helper that will keep RTP traffic on the same interface as the control channel or if snat-route-change enable could be applied to my VOICE VLAN interface instead of globally. I would much prefer the first option so we can configure SDWan to use both circuit simultaneously, rather than primary/backup, like we're having to do now.
Denny
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.