Hi Everyone,
I’m having a problem where our Cisco VoIP gateway doesn’t fail over to our backup WAN, because the established connection doesn’t drop. The VoIP gateway doesn’t attempt to reconnect unless I manually remove the session from the Firewall connections list.
Would it be okay to change the tcp established timeout from 1 day to 5 minutes, or will this introduce any other problems?
Changing the TCP connection timeout could have a negative impact on other things.
It’s really supposed to be the end points that have a keep-alive mechanism.
VoIP clients are supposed to register themselves with the server every x minutes. Often it’s 2 minutes. I’d look for those settings in the voip gateway before changing tcp timeout.
Or a script that checks for wan change, then kill TCP connections based on remote IP of a tcp connection.
My workaround for this is to dynamically insert action=reject reject-with=tcp-reset firewall rules for any packets still trying to go out the wrong interface. Since TCP can’t handle IP changes anyway, tearing down the connection to force a new one is a decent enough solution.