Firewalls are a common cause of SIP registration failure where the firewall blocks incoming traffic as part of the normal SIP registration process.
To explain, the process of any SIP registration consists of sequential number of requests and challenges between your handset and our registration server. The underlying logic is our systems authenticate your username and password credentials storing your IP address and port number at successful registration. On our side we redirect incoming calls to the phones last recorded registered IP address and port. If your router blocks our incoming traffic, the call will fail.
Registration – Inbound only
We don’t require you to register to make an outbound call as we check your credentials on each call. Registration is merely the mechanism we use to direct incoming calls through to your router/firewall and ultimately phone or PBX (if using registration).
For security, routers are oblivious to the requirements of SIP and by design, regularly close the ports required to communicate with the PBX or handset. Resetting the phones “Keep Alive” values down from 3600 seconds (1 hour) to 180-second intervals, is generally well inside the period most routers close their incoming ports. This means every 3 minutes your phone updates our registration server with its latest IP address and port setting. When an incoming call is received to our network, we can be confident of your IP and port numbers.
- SIP ALG: We recommend disabling SIP ALG as most implementations outside of Juniper and Cisco incorrectly modify SIP and ultimately corrupt SIP packets rendering them unreadable causing unexpected behaviors such as registration and incoming calls failing.
- TLS: This is a reliable workaround that alleviates interference caused by SIP ALG as TLS packets are encrypted ultimately preventing corruption. To use TLS set your phones or endpoints to port 5061.
- Port Forwards: If port forwarding set UDP port 5060 or TLS 5061 to your device. Additionally, we recommend set the firewall access control lists (ACL) to limit to traffic on 5060/5061 to our trunking IP address (220.127.116.11) or our subnet 18.104.22.168/24.