Sip Trunks not working to 3300 MCD via Watch Guard Firewall

[Apersons]

Mitel 3300 on ver 8. 50 IP phones on 2 different subnets with 2 different buildings. System is currently hooked to a PRI circuit for trunking. Users have desk phones and some are multi device twinning to a cell phone. Router exists at both buildings. Both routers are WatchGuard. Main router is a Firebox M400. I don't know what type the 2nd building has. Under these circumstances, all services and calls work perfectly with 0 issues.

We switched to SIP trunking this morning and everything worked......for about 10 minutes. By the time we got on site, this was our list.

--Inbound and outbound calls with 2 way audio worked on subnet 1.
--Sip trunks would go out of service intermittently for no more than 4 minutes, then return to service automatically.
--Some calls in progress were reported to have dropped one side of the audio stream during the call.
--Twinned calls answered on a cell phone have no audio on subnet 1. one way audio on subnet 2.
--Subnet 2 can receive inbound external calls but cannot make outbound external calls.
--All internal calls work perfectly.

Once we switched from SIP back to PRI, all our problems disappeared.

Can anyone give me any idea of what to do to resolve this? I'm not familiar with Watch Guard firewalls. I know that ports were opened in the firewall for 5060 and the recommended RTP ports. Is there anything else we could possibly be missing?

[x-man]

We had real problems with Watchguard and SIP. Took ages for the IT guys to figure how to get it to work and then after a watchguard it all failed again and they couldn't get it working again. Luckily they had another broadband line with a draytek router on it, turned off SIP-Alg and it all worked tickety-boo. Gave up on the Watchguard. Mind you this was only 8 channels of sip.

[zac1234]

I realize that I am late to the party, but here are my 2 cents.

An MBG (or some sort of Outbound SIP Proxy) should be used.  If the SIP trunks are coming in over the internet then you would need an MBG in Server-gateway mode with one interface on the LAN and other on the internet.  Or you could make a DMZ on your firewall and put it in there.  The MBG would be in DMZ mode.

You can try port forwarding the appropriate ports to the 3300 for SIP and RTP, but you will have one-way audio problems.  When a call is up, a phone will send it's voice packets directly to the endpoint that it's trying to communicate with.  In your case, the other end point is the service provider.  If there were some way for the 3300 to stay in the audio path then you could probably get away without an outbound proxy.

Some phone systems, like Asterisk, let you keep the phone system in the audio path.  Keep in mind that doing so will result in more demand on the phone system.  It would be a terrible idea of a deployment of 100s of phones.

I'm currently on a quest to find out if it's possible to bring in SIP trunks to a 3300 without an MBG, but no luck so far.  I suppose it could work if all the extensions were analog.

[BlackSunshine]

I’ve never had any luck getting SIP trunks to work on 3300 without MBG or InGate Siparator Firewall.  The problem is the 3300 doesn’t have a NAT setup like Mitel 250. I’m sure some have luck with Sip trunks and 3300 without MBG just not me.

[Dogbreath]

Some phone systems, like Asterisk, let you keep the phone system in the audio path.  Keep in mind that doing so will result in more demand on the phone system.  It would be a terrible idea of a deployment of 100s of phones.

Yet 5000 works fine at staying in the media path with its puny CPU. Ideally there would be an option in MiVB for proxying the media, especially seeing as you can throw arbitrary amounts of CPU at a vMiVB, but it hasn't happened after all these years and I'm not expecting it to, either.

You either bite the bullet and buy MBG SIP licenses in addition to your MiVB SIP licenses, or use a third-party SIP gateway or you hope your edge device's SIP ALG is up to the task.