• September 18, 2020, 03:30:43 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: IPSec Tunnels, MTU and DF Bits with Avaya IP Phones  (Read 4742 times)

0 Members and 1 Guest are viewing this topic.

Offline seabro

  • Rookie
  • **
  • Posts: 12
IPSec Tunnels, MTU and DF Bits with Avaya IP Phones
« on: March 20, 2014, 07:29:11 AM »
Hi all,

We are struggling with a problem, maybe someone here has experience of?

We have a central Avaya PBX with handsets sitting at a remote branch across on IPSEC tunnel.

Whenever the phone handsets lose connectivity, (a WAN issue for example) they can take hours to re-register.

Looking at a packet capture, I could see the larger packets were too big to traverse our IPSEC WAN without fragmentation, but coming out of the phone handset they have DF bit set.  I am guessing that the situation causes the registration packets to be dropped resulting in the failed registration.  Somehow, they register over the next few hours - I am not sure how.  This only affects random / varying handsets.

I have been unable to reduce the MTU using two 'techniques'.  Firstly I tried DHCP Option 26 and the other was to specify the reduced MTU (1376) in the config file that the telephones download on boot-up.

So in summary, we have important registration packets being discarded because their size is too big and their DF bit is set and we are struggling to fix it!

Voice comms are never a problem as the RTP packets are nice and small.

One way we did manage to get it to work but it wasn't an ideal solution, was to have the firewall strip out the DF bit as the traffic traversed it en-route to the IPSEC router. This worked but wasn't as good as having the phones send out smaller packets so fragmentation is not required.

I am guessing others using remote Ayava handsets across an IPSEC tunnel must have been here before us? Can anyone make any suggestions?

Thanks for any helpful opinions you can offer.

seabro ???


Offline seabro

  • Rookie
  • **
  • Posts: 12
Re: IPSec Tunnels, MTU and DF Bits with Avaya IP Phones
« Reply #1 on: March 26, 2014, 08:00:50 AM »
No answer, let me ask a different way.  Does anyone here run an Avaya IP phone system (9608 handsets) across IPSEC tunnels?  If so, do you find it a challenge that phones send 1500 byte packets with the 'don't fragment' DF bit set?

Offline bulyhome

  • Rookie
  • **
  • Posts: 5
Re: IPSec Tunnels, MTU and DF Bits with Avaya IP Phones
« Reply #2 on: June 21, 2014, 04:41:05 AM »
Hi,
Yes, in the past I have experienced the issues you described with the DF bit set on the packets from Avaya phones, but only when the IP Sec tunnel involved Cisco routers (that completely ignored that flag for unknown reason). The solution was to disable ALG default capabilities on Cisco side.

Cheers