Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do you determine the number of NAT'd VoIP calls supported? Outbound VoIP calls thru a NAT device are failing.

0

0

Article ID: KB12156 KB Last Updated: 25 Aug 2011Version: 4.0
Summary:
Outbound phone calls via VoIP are made through a NAT device.  All VoIP calls are being NAT'd as it communicates to the Call Manager server on the Internet. 
Symptoms:
Some of the outbound calls are failing due to NAT.  When doing a 'debug h323 all' and 'debug nat xlate', the following debugs are reported:
## 2008-08-18 10:36:43 : FastConnect: - Processing FastConnect parameters (36)
## 2008-08-18 10:36:43 :
FS machine - S:FS_S_INIT E:FS_E_SETUP_FS A:FS_A_EARLY_MEDIA
## 2008-08-18 10:36:43 : FS machine - state change: FS_S_INIT -->FS_S_OFFERED
## 2008-08-18 10:36:43 : FS machine - media action = MEDIA_NO_ACTION
## 2008-08-18 10:36:43 :
## 2008-08-18 10:36:43 : FS-Req - FWD Call:
## 2008-08-18 10:36:43 :   type=0 num=1 sess=1 ifp=ethernet1/1 RTP=0.0.0.0(0) RTCP=0.0.0.0(0)
## 2008-08-18 10:36:43 : FS-Req: No IP to translate
## 2008-08-18 10:36:43 :
## 2008-08-18 10:36:43 : FS-Req - BKW Call:
## 2008-08-18 10:36:43 :   type=5 num=2 sess=1 ifp=ethernet1/1 RTP=a.b.c.d(2308) RTCP=a.b.c.d(2309)
## 2008-08-18 10:36:43 : find reverse xlate info on ifp ethernet1/1
## 2008-08-18 10:36:43 :   cannot get reverse xlated ip and port for (a.b.c.d/2308)
## 2008-08-18 10:36:43 : a.b.c.d is the original ip address
## 2008-08-18 10:36:43 : (FWD) Policy xlate IP/port: a.b.c.d/2308 ifp: ethernet1/1->ethernet1/2 dip: 2 (Need: 0.0.0.0) (p:17)
## 2008-08-18 10:36:43 :   src IP xlation on a.b.c.d/2308 (DIP: 2) pack from private domain
## 2008-08-18 10:36:43 :   no VIP on ethernet1/2 (Root)
## 2008-08-18 10:36:43 :   no MIP for IP a.b.c.d on ethernet1/2
## 2008-08-18 10:36:43 :   error in dip with 2 ports for a.b.c.d/2308 (2) -> drop pak
## 2008-08-18 10:36:43 :   src IP DIP xlation error for a.b.c.d/2308 -> drop pak
## 2008-08-18 10:36:43 : ** fast req: error xlating IP/port a.b.c.d:2308
## 2008-08-18 10:36:43 : FastStart Error: - in OLC Request processing


When doing a 'get pport', only 2 paired ports are available:
nsISG1000(M)-> get pport

Pseudo port information:
     All Ports           Single Ports             Paired Ports
  Index    Total    allocated - available    allocated - available
      0    64510          0       61384            0        3126
      1    64510          0       61384            0        3126
      2    64510          0       61384            0        3126
      3    64510          0       61384            0        3126
      4    64510          0       61384            0        3126
      5    64510          0       61384            0        3126
      6    64510          0       61384            0        3126
      7    64510          0       61384            0        3126
      8    64510          0       61384            0        3126
      9    64510          0       61384            0        3126
     10    64510          0       61384            0        3126
     11    64510          0       61384            0        3126
     12    64510          0       61384            0        3126
     13    64510          4       61380            0        3126
     14    64510          0       61384            0        3126
     15    64510          0       61384         3124        2
Solution:
Even though you may be running less than the maximum number of VoIP calls supported on the Juniper firewall, you may have some problems with making calls if it exceeds the maximum number of NAT'd VoIP calls supported.  If the VoIP calls are to be NAT'd by interface NAT, the maximum number of calls will depend on the number of paired ports from the 'get pport' output. 

The maximum number of paired ports will depend on the hardware platform.  For example, on the ISG-1000 and ISG-2000, the maximum number of paired ports per pport index is 3126 (as indicated in the 'get pport' output above).  On the SSG-20, the maximum number of paired ports per index is 64.
Example:

ssg20-> get pport

Pseudo port information:
     All Ports           Single Ports             Paired Ports
  Index    Total    allocated - available    allocated - available
      0     2048         12        1972            0          64


The number of VoIP calls you can make is the number of paired ports divided by 2.  For the SSG-20, you have a limit of up to 32 VoIP calls, while on the ISG-1000, the limit is 1563.


IMPORTANT NOTE:  If you have available public IP addresses, you can get around this limit by using DIP port-xlate instead of interface NAT.  If you use DIP pools, you monitor the allocation of ports using the  'get interface <int> dip detail' command.  Here, you want to focus on the twin port allocated value.
Example:

nsISG1000(M)-> get interface e1/2 dip 5 detail

 dynamic-ip       port-x   status    id  ports(sgl/twin)      host-ip         
 5.5.5.5           Yes    Free        5       0 /   362      
             

In this example, DIP 5.5.5.5 is utilizing 362 twin ports, and is utilizing 362/2 = 181 calls.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search