Phones behind SBC failover to Direct SIP / STUN?

[loyer]

Does anyone know if phones at a remote location behind a SBC will fallback to Direct SIP / STUN if the SBC is unavailable?

I am monitoring the firewall of the remote location and see that the phones appear to be connecting directly to the 3CX PBX via port 5060 even though they are configured to use the SBC which is installed locally. I also see the SBC connection in the firewall too. Just not sure why I would see the phones directly connecting as well.

Any thoughts?

 

[leejor]

It may depend on the set, and options. Some allow a second server address. I wasn't aware that 3CX deliberately makes use of anything like that. What make/model sets are you using?

It sounds as if the sets were just not provisioned to use the SBC.

 

[loyer]

The phones are definitely provisioned to use the SBC. On the Phones page of the 3CX management admin, the IP shows that it is coming in via the SBC but I don't think the traffic really is. See screenshots below. The first one shows the 3CX phone page. The second one shows the firewall at the remote site showing the outbound traffic over 5060 directly to our 3CX PBX server.

I am using Yealink SIP-T48S with the standard 3CX template fully updated to SP3 and the phone firmware at the latest.

I cut out the details above in the 3CX Phones page screenshot but you can see the IP shows they are coming from the SBC (that is how they are configured).

But in the firewall (both at the 3CX PBX and the firewall at the remote location), the traffic shows them coming in direct over 5060. I will say that the phones were initially provisioned using direct sip / stun, but then later were updated to SBC.

Below is the screenshot of the firewall at the remote site showing outbound traffic from the individual phones hitting the IP of our 3CX PBX on port 5060 directly.

 

[loyer]

Also, just to be clear, I have checked out the logs of the Windows SBC controller and increased the log settings to VERBOSE and can see that the phones are communicating with the SBC.

My theory is that the SBC is having a problem (yet to be figured out). The phones initially try and connect via the SBC. When they fail, they seem to fail back to Direct SIP / STUN, and connect directly to the 3CX PBX server. If this is the case, then that is a great feature.... but it would also be great to know that this is happening.

 

[loyer]

I think I might have found something! I logged into the Yealink T48S web admin page and under the Account configuration near the bottom, in the section for Outbound Proxy Server (which is configured to hit my local SBC) there is an option for "Proxy Fallback Interval". It is described as:

Description:
It configures the time interval (in seconds) for the IP phone to detect whether the working outbound proxy server is available by sending the registration request after the fallback server takes over call control.

You can define two outbound proxy servers so this probably is just for switching between the two proxy servers, but I bet that Yealink is monitoring the proxy and if it fails, then it switches to the original settings without the proxy (these settings are still defined in the SIP Server 1 data).

So, I don't think it is the SBC doing any intelligent failover .... but rather the Yealink T48S phones are seeing the SBC fail so it is switching to back to the Direct SIP / STUN settings. So the phones still work ..... BUT not great. They still have all the issues of phones without the SBC.


This is so annoying... there has to be an easier way to figure out if your SBC is working!!!! 3CX please build some monitoring into your SBC and display the status on the 3CX PBX admin! Please.

 

[eddv123]

Hi Loyer,

I predominately use the SBC for Raspberry Pi, and I find it relitively easy to find out whether the SBC is registered to 3CX - that being said I am not saying I would like visual recognition in the 3CX Management console interface (like you get with the bridge) There is an idea's page for this feature also which is "in progress": https://www.3cx.com/community/threads/3cx-sbc-status-in-admin-gui-in-progress.42985/

Ways in which I would recognize that the SBC is registered currently would be:

Phones list in 3CX. I use Yealink phones also, a good way to tell if the SBC is up and running is the phones list (a supported phone will appear bold in this page with SBC: and the address in front of it).

You can also run your VERBOSE logs in 3CX and look at the 3CX Tunnel log, this would give you some ideas as to whether registration was successful or not.

In the Linux or Raspberry Pi versions you can also use the command "service 3cxsbc status" to check if the service is running on the SBC. However if you want further information then you can also tail the VEBOSE logs and detect for errors.

All that you would need is to enable VERBOSE logging on the SBC and then tail the log file and look for lines that contain: KA sent: X

Where X is an incrementing number that keeps going up by one while a registration is active.
If the registration drops, this is reset back to 1.

Also as far as your initial question about failing over between SBC and STUN I would have to say that although I have not tried this I do not think that this would work as a fail-over as you can either provision the phones via SBC or STUN separately, not both as standard - perhaps with a custom template it might be possible but I have not heard of anyone doing this.

Also you have the issue that if provisioned for STUN the MAC address is "hard coded" for 14 days by 3CX.

One thing I can tell you (as I tested it the other week for a customer) is that if you provision a 3CX Phone via STUN and want to move to SBC, if you remove the STUN extension from 3CX, reset the phone and connect via SBC you can provision it over via SBC without having to contact 3CX about removing the MAC.

Obviously this is manual intervention which would not suit your fail over scenario but useful to know.

 

[loyer]

Hi eddv123, thanks for the reply.... few questions...

1) I posted a screenshot of my phone list and it does show the IP in front of the SBC e.g. "192.168.0.52:5065 via SBC 192.168.0.251:5060" BUT it is NOT bold. Does it have to be bold? Maybe if it isn't bold that means it isn't connected?

2) I am using Windows SBC. I see the service running and can see the connections open. On windows I do that at the cmd prompt: netstat -ano if you look up the PID in task manager then you can filter this list by typing: netstat -ano | findstr <PID> e.g. netstat -ano | findstr 3456

So I know the SBC is running, I know it is connected to the PBX server. I have enabled VERBOSE (and turned it off again) to get the details. I just didn't know what to look for in the logs. I will check what you suggested (KA sent: X)

3) The reason why my phones were provisioned with STUN initially is because I was setting up all the phones off site and then shipping them to the remote location. To get the phones initially provisioned and setup, I provisioned them with Direct SIP / STUN and then when the user plugged the phone in at the office, I would switch the provisioning to SBC and reboot the phone. It seemed to work.

4) WOW !!! WAIT really??? hard coded for 14 days??? Why, that seems a little crazy/extreme? Is this a known thing? Meaning did I just miss that.... I suppose that could be my issue. Anyway to see if that is happening either in the logs or in the web management?

Thank you eddv123, I have been working on this all day yesterday until late at night. I have a case open with 3cx support but that isn't going anywhere fast.

 

[eddv123]

I will answer your questions consecutively:

1) Bold text across SBC is no different from phones on the local LAN.

Bold = unprovisioned/not added to an extension.
Un-bold (I guess we can call it) means that the phone is connected to an extension.

2) In regards to the logging, that is the logging you would see on Linux or Raspberry Pi, the Windows version I think maybe be different.

3) I don't like using STUN myself, too many ports to open and traffic has to pass back to the PBX for each extension (unlike the SBC where traffic stays local). What I do for drop shipments of phones (again with Raspberry Pi) is setup the SBC on it and leave it with DHCP enabled for local LAN (there are no other remote network parameters required/that will effect the SBC when deployed) this way when your engineer goes to site they can plug in the SBC with the phones and simply add via the management console.

Where I appreciate with STUN as long as the network is setup correctly you can plug and play I think the extra step with the SBC is a small point compared to the benefits it has over STUN.

4) Yes this has always been the case (I am not aware of any recent changes to this behavior - for example with SP3's recent release).

What you could do is send an email to support with pictures of the MAC addresses and ask them to release them. Other than what I said in my last mail about the SBC this is the only other known way to release the binding. Worth checking with them.

 

[loyer]

if you remove the STUN extension from 3CX, reset the phone and connect via SBC you can provision it over via SBC

Hi eddv123, thanks again for your reply.... question about what you said for doing it yourself... when you say "remove the STUN extension from 3CX" do you mean.... remove the STUN phone from the extension? I wouldn't be able to delete people's extension, their voicemail, and start all over --- the users would go crazy. If I just had to remove the phone from the extension, then maybe. Please confirm?

And when you say "reset the phone" you mean back to factory defaults, right?

Thanks again.

 

[eddv123]

If you cannot remove the extension then you will need to contact support with the MAC codes.
And yes I mean full factory reset.