What are the required NAT keepalive settings?
Our handsets initiate connections with our cloud infrastructure and use NAT keepalives to keep the binding open. If your firewall drops these NAT keepalives or ‘prunes’ more aggressively than every 300 seconds, the handsets will not function properly. They will be able to call out, but will not receive inbound calls (inbound calls will go straight to voicemail).
The following settings are required:
Increase UDP Timeouts
- UDP sessions are typically given shorter timeout intervals on firewalls. The default for most is 30 seconds, which is too aggressive for an application like SIP. Increase UDP timeouts to a minimum of 90 seconds, however, our recommendation is 300 seconds or longer.
- You can specify that only SIP sessions have increased timeouts rather than all UDP sessions, if your firewall allows for that specific delineation. Just make sure to set timeouts for UDP ports 5060, 5061, 5080, 5081, and 5082 of at least 300 seconds, as those are the standard SIP ports we use (and most user agents (phones) do as well).
Enable Consistent/Persistent NAT
- In much the same way that ensuring the NAT binding does not get dropped or pruned — ensuring that the NAT binding (public IP and UDP port) remains the same for each phone’s internal private IP address and port pairing will help with an application like VoIP. If that binding were to change suddenly, there would be a discrepancy between the IP address/port to which the VoIP server thinks it should be sending requests and the phone's current binding in the firewall.
- For example, a phone can make calls because NAT is working, but can’t receive calls because the VoIP server hasn’t received a new REGISTER request from that phone since that binding changed and is therefore sending it to the old IP address/port pairing.
- Most of the other settings are generic, whereas this one is more vendor-specific (SonicWall and Juniper for example). It is a recommended setting if your firewall has it available, but unlike the other settings, it is not usually an issue if it cannot be configured.