VOIP not working over site to site vpn
sohand
Newbie ✭
Hey there
Changed public IP address on a TZ400 (sub office) and a TZ600 (Main Office)
Main office phones are working but since the change, sub office can hear the phone ringing but cant answer the call. They also cant make internal or external calls from the sub office. Wouldnt be too handy at the packet capture end of things
What do i need to check?
Category: Mid Range Firewalls
0
Answers
It is not a good idea to send VOIP traffic over a VPN. You havent given us much info to work with. Is the PBX in house at the Main Office?
Sorry folks, just copped i never replied to this.
Turned out there was a second Broadband connection in he main office just for phones that i nver copped.
sub office had 2 VPN's setup. one for main network and 2nd for VOIP.
Can you tell me why you wouldnt use VOIP over VPN though, not phone guys ourselves someone else put the system in before we took over?
Separate company looks after pone system
The short version:
VoIP is sensitive to loss, bandwidth, packet fragmentation, and packet re-ordering since it is based around UDP. UDP just sends packets without handshake or confirmation. The biggest culprit of packet manipulation are VPN tunnels. VPN tunnels are great for connection-based protocols (TCP) as they are programmed to work out fragmentation / order before processing the data in the packet. Connection-less protocols are not good with manipulation (as mentioned above).
In laymans terms you are more likely to run into garbled, jumbled, incoherent audio when running VoIP alongside other protocols over a VPN.
If you have a dedicated connection and VPN for VoIP you are less likely to run into issues, but they may still occassionally occur and there is essentially nothing you can do about it.
I run a distributed call center across many VPN tunnels with nearly zero issues.
@A_Elliott as so often in life, there is no definitive answer. I'am running plenty of VOIPs via VPN as well, because not struggling with NAT etc. is a big benefit of this. Whenever possible this is my first approach. It probably depends on multiple factors like available bandwidth, latency etc.
If anyone encounters the potential issues Tim@TKWITS described in detail, then it's probably time to have a dedicated link for VoIP only.
--Michael@BWC
I will also point out that DSCP tagging gets lost when encapsulated by a VPN tunnel until it is de-encapsulated on the other side. The VPN traffic traverses the internet with no prioritization over other protocols. Now whether or not your ISP adheres to customer DSCP tagging is another thing.
Like @BWC said, there is no definitive answer. If you have multiple protocols (applications) alongside VoIP over your VPN tunnels, but overall bandwidth usage and latency is negligible than you won't likely have issues. If you have bandwidth intensive protocols (applications) crossing a VPN tunnel (thus increasing latency) with VoIP than you'll probably run into issues.
Dear SOHAND ,
Please inspect and unblock app controls, such as VPN. multimedia, or might you block so many apps that will affect VOIP?
Goto : Policy>Security Services>App Control>Signatures
Locate and unblock VPN and multimedia.