I still have the case open with support and they are currently researching the issue. I sent them over my techsupport files and they were able to reproduce the problem on their lab setup.
Currently, this is what I have suggested my colleagues to do:
1. Every time the see an ISP failover, login to CLI session and issue the following:
a. show session all filter application sip
b. show session all filter application unknown-udp
Now if all your phones are already registered with your provider, they should all show up on these two commands. It would be nice to have the firewall accurately detect the SIP traffic instead of classifying it as unknown-udp. Now to clear the sessions, all you have to do is issue:
a. clear session all filter application sip
b. clear session all filter application unknown-udp
In regards to performance - This will highly depend on the number of phones you have. Simply put, the firewall would have to process approximately 'N' new sessions every 'X' seconds where 'N' is the total number of phones you have and 'X' is the SIP registration interval. Now, I wouldn't try and do this either as again this is not a scalable solution.
I am trying to tackle this from a different perspective. If you notice not all customers who have VoIP phones and using PAN as their firewall are not having this issue (If everyone did, there would be an uproar). So it must be something very specific tied to your VoIP provider or your Phone manufacturer.
For example, we use Polycom phones with Vocalocity as our provider. Using Wireshark I observed that, when the phone is not currently on a call, a SIP registration packet is sent out approximately every 15 seconds. I also monitored this phone's session on the firewall itself and confirmed that the TTL is reset every 15 seconds approximately. Now, I logged in to the phone, and I have an option called NAT keep-alive under network settings that is set to 15 seconds. So, I am currently working with my VoIP provider to see if we can make changes to our phone configuration packages.
However, at the end of the day, PAN should clear the sessions if there is a failover. I cannot think of a reason why the firewall would not want to do that. I hope we will see a solution to this in the next release scheduled in February.
I have some news (bad or good - it's depends)
My problem was finally recognized. In short words:
There is a certain counter 'ctd_tdb_changed' that can be triggered during content / AV upgrade which will cause long lived SIP sessions to switch from 'layer7 processing : enabled' to 'layer7 processing : completed'. This can be viewed in 'show session id x' output for the sip session.
Once the SIP session is 'completed' then ALG/predict session will not function properly.
BUT it may be fixed in 6.x PAN !!! (according to actual informations)
Please ask your local Sales SE to force this fix to be able in 5.0.x
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!