What are the recommended NAT keep alive settings?
GoToConnect handsets initiate connections with the GoToConnect cloud infrastructure and uses NAT keep-alives to keep the binding open. If your firewall drops these NAT keep-alives or ‘prunes’ more aggressively than every 300 seconds, the handsets will not function properly. They will be able to call out, but will not receive inbound calls (inbound calls will go straight to voicemail).
The following settings are recommended:
Increase UDP Timeouts
- UDP sessions are typically given shorter timeout intervals on firewalls. The default for most is 30 seconds, which is too aggressive for an application like SIP. Increase UDP timeouts to a minimum of 90 seconds, however our recommendation would be 300 seconds or longer.
- You can specify that SIP sessions have increased timeouts rather than all UDP sessions, if your firewall allows for that specific delineation. Just make sure to set that for UDP ports 5060, 5061, 5080, 5081, and 5082 for at least 300 seconds, as those are the standard SIP ports GoToConnect uses and most user agents (phones) do as well.
Enable Consistent/Persistent NAT
- In much the same way that ensuring the NAT binding does not get dropped or pruned — ensuring that the NAT binding (public IP and UDP port) remains the same for each phone’s internal private IP address and port pairing will help with an application like VoIP. If that binding were to change suddenly, there will be a discrepancy between the IP and port to which the VoIP server thinks it should be sending requests and what the phones’ current binding is in the firewall.
- For example, a phone can make calls because NAT is working, but can’t receive calls because the VoIP server hasn’t received a new REGISTER request from that phone since that binding changed and is sending it to the old IP and port pairing.
- Most of the other settings are generic, whereas this one is more vendor specific (Sonicwall and Juniper for example). It is a recommended setting if your firewall has it available, but unlike the other settings, it is not usually an issue if it cannot be configured.