Page 1 of 1

Converting 6x to ITSP - need NAT Keep-Alive

Posted: Thu Jun 09, 2022 3:13 pm
by mcbsys
Hi,

I've inherited an Allworx 6x (software 7.4.19.2) with three analog lines. Works fine with their on-premises 9212L handsets. I'm fairly familiar with VoIP (mostly 3CX these days) but not so much with Allworx.

I've connected the Allworx WAN to the LAN side of their ZyXel router/firewall. I set up a SIP Proxy with SIP Registration. If I click "Register Now" and dial in from outside right away, I reach the Allworx auto-attendant. But after a couple minutes--once the NAT session is dropped by the ZyXel--dialing in no longer works ("unavailable").

In the Allworx, I see NAT keep-alive options for handsets and port expanders. Is there also a way to tell it to send keep-alive packets to the SIP Proxy? Or do I have to give up on SIP registration and do it all IP-based, forwarding 5060 and the RTP ports in the router?

Thanks for any tips.

Mark Berry

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Thu Jun 09, 2022 4:33 pm
by wshrader
mcbsys wrote: Thu Jun 09, 2022 3:13 pm Hi,

I've inherited an Allworx 6x (software 7.4.19.2) with three analog lines. Works fine with their on-premises 9212L handsets. I'm fairly familiar with VoIP (mostly 3CX these days) but not so much with Allworx.

I've connected the Allworx WAN to the LAN side of their ZyXel router/firewall. I set up a SIP Proxy with SIP Registration. If I click "Register Now" and dial in from outside right away, I reach the Allworx auto-attendant. But after a couple minutes--once the NAT session is dropped by the ZyXel--dialing in no longer works ("unavailable").

In the Allworx, I see NAT keep-alive options for handsets and port expanders. Is there also a way to tell it to send keep-alive packets to the SIP Proxy? Or do I have to give up on SIP registration and do it all IP-based, forwarding 5060 and the RTP ports in the router?

Thanks for any tips.

Mark Berry
First, you've got to be kidding by leaving the Allworx on such an old version. Update that to v8.5 (if you have a license which you probably don't) or v8.4 (for free only with access to the Allworx partner portal).

Supporting this without it being on at least v8.0 is pointless.

However, I have noticed that the x-series seems to have the WAN and LAN ports hard-coded such that having a non-routeable public IP address on the WAN port can cause problems. In newer versions there are 3 network modes. LAN Host (what I would suggest you use in this case), NAT/Firewall (if a public IP address will be assigned directly to the WAN interface), and NAT/Firewall with stealth (same as previous except PING is blocked).

Further,
If the Zyxel is provided by the ISP, try disabling SIP ALG on the Zyxel or depending on the model, adjusting the firewall settings. I would also suggest using a "next generation" firewall as your edge device instead of any ISP provided router.

SIP ALG is probably the most likely cause since using SIP Registration usally mitigates problems caused by NAT.

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Thu Jun 09, 2022 4:48 pm
by mcbsys
Thanks for the quick reply. Not a partner so I'm making do with an old version. Forgot to mention I had disabled SIP ALG in the ZyXel, which is customer-owned. The Allworx is set up as NAT/Firewall with a non-routable IP on the WAN. It works fine as is for a couple minutes after the SIP registration.

BTW "LAN Host" is available in 7.4, but it says, "Another device on the Allworx LAN is the primary router to the Internet." This is not the case--the router is on the WAN side, not the LAN. The LAN is a completely separate IP range (and separate switch) used only for the phones.

Is there a way to get the Allworx to send a NOTIFY or other keep-alive the the SIP Proxy every 20-30 seconds? Pretty sure that's all I need. I don't even see a way to adjust registration frequency.

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Fri Jun 10, 2022 7:04 pm
by wshrader
mcbsys wrote: Thu Jun 09, 2022 4:48 pm Thanks for the quick reply. Not a partner so I'm making do with an old version. Forgot to mention I had disabled SIP ALG in the ZyXel, which is customer-owned. The Allworx is set up as NAT/Firewall with a non-routable IP on the WAN. It works fine as is for a couple minutes after the SIP registration.

BTW "LAN Host" is available in 7.4, but it says, "Another device on the Allworx LAN is the primary router to the Internet." This is not the case--the router is on the WAN side, not the LAN. The LAN is a completely separate IP range (and separate switch) used only for the phones.

Is there a way to get the Allworx to send a NOTIFY or other keep-alive the the SIP Proxy every 20-30 seconds? Pretty sure that's all I need. I don't even see a way to adjust registration frequency.
Even in the current firmware it is not possible to adjust granular SIP settings. I can only speak from my experience with much more recent Allworx firmware. The registration timer is controlled by the SIP registrar itself. For example, typically, if everything is configured optimally, the SIP Proxy expires/renews registration every 60 minutes. If NAT is not configured correctly you might see this expiration at every 5 minutes, or 3 minutes or even every minute depending upon the SIP Proxy itself (SIP vendor's settings). I must reiterate the importance of updating the firmware on that 6x but if that is absolutely impossible, try using the Allworx either in LAN Host mode or (and this might suck for you) reconfiguring the network so that the LAN interface has access to the Internet so that you are not using the WAN port with a private IP address.

I work for an Allworx partner so I could, professionally, assist you with this. You also have the option of contacting Allworx to be directed to an Allworx partner located geographically close to you or at least determine the partner which probably sold/installed the server originally.

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Sat Jun 11, 2022 5:37 pm
by mcbsys
It took some doing but I think I got this working on 7.4 with NAT/Firewall mode and the Allworx WAN conneted to the LAN side of the ZyXel. I'll know for sure when people are in the office Monday to test outbound and confirm two-way audio. The basic idea is to use IP-based rather than registration-based SIP traffic. Steps:

1. At the ITSP (Telnyx), configure the SIP connection to to accept calls from the public IP of the customer network, without registration.

2. In the ZyXel, configure port forwarding for UDP 5060 (SIP) and 16384-32768 (RTP), accepting traffic only from the corresponding Telnyx IPs (https://sip.telnyx.com/). Destination is the LAN IP of the Allworx. This means inbound SIP traffic always goes to the Allworx, even without an outbound registration.

3. In Allworx:

a. Outside Lines > Direct Inward Dial Blocks/Routing Plans: set up the voice DID to route to the auto-attendant and the fax DID to route to the analog fax extension.

b. Outside Lines > Sip Proxies: uncheck SIP Registration required. At the bottom, under Call Route, choose Routed using DID Block(s) and check the two DIDs created above. This allows the single SIP connection to handle both numbers and route them accordingly.

If this is in fact working, and with the web UI not exposed to the public Internet, what would be the advantage of upgrading to 8.4? I can't find any release notes that describe that version.

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Mon Jun 13, 2022 5:43 pm
by wshrader
mcbsys wrote: Sat Jun 11, 2022 5:37 pm It took some doing but I think I got this working on 7.4 with NAT/Firewall mode and the Allworx WAN conneted to the LAN side of the ZyXel. I'll know for sure when people are in the office Monday to test outbound and confirm two-way audio. The basic idea is to use IP-based rather than registration-based SIP traffic. Steps:

1. At the ITSP (Telnyx), configure the SIP connection to to accept calls from the public IP of the customer network, without registration.

2. In the ZyXel, configure port forwarding for UDP 5060 (SIP) and 16384-32768 (RTP), accepting traffic only from the corresponding Telnyx IPs (https://sip.telnyx.com/). Destination is the LAN IP of the Allworx. This means inbound SIP traffic always goes to the Allworx, even without an outbound registration.

3. In Allworx:

a. Outside Lines > Direct Inward Dial Blocks/Routing Plans: set up the voice DID to route to the auto-attendant and the fax DID to route to the analog fax extension.

b. Outside Lines > Sip Proxies: uncheck SIP Registration required. At the bottom, under Call Route, choose Routed using DID Block(s) and check the two DIDs created above. This allows the single SIP connection to handle both numbers and route them accordingly.

If this is in fact working, and with the web UI not exposed to the public Internet, what would be the advantage of upgrading to 8.4? I can't find any release notes that describe that version.
If this allworx for you :lol:, contgratulations!

As for the release notes, those are available by logging into the Allworx partner portal. They are also available under the Maintenance section for updating in newer versions. I cannot easily provide all the release notes (I wish I could attach files in this forum but I cannot) for v7.5, v7.6, v7.7, v8.0 (major re-design), v8.1, v8.2, v8.3 and v8.4 I think it suffices to say the benefit is not only stability and security improvements but functional improvements that probably would have made this entire thread unnecessary. v7.4.19.2 was released in 2014. v8.4.17.1 was released August 2020. 6 years of development. Is that not compelling?

Re: Converting 6x to ITSP - need NAT Keep-Alive

Posted: Mon Jun 13, 2022 6:02 pm
by mcbsys
Thanks again. This does seem to be working okay.

I usually am the one pushing to upgrade to a stable recent version and if they were to want to stay with this device long-term, I'd agree it needs updating. I do have reservations about companies that lock their systems to authorized vendors, though I realize there are arguments in favor of that as well. For now, if this is working and not a security risk, I can turn my attention to upgrading other software and hardware that is equally old and a greater risk for compromise and failure.

I appreciate your willingness to engage on all this!