IPsec passthrough issue (WiFi Calling)

rasimoes · June 8, 2020, 1:45am

Hi,

I’ve noticed my iPhone is loosing the WiFi Calling registry a couple times a day…sometimes I’m facing call drops also.
I tried nearly everything to mitigate the issue…but no success.

Some details about my environment:

-No firewall filter rules
-Only a masquerade NAT rule on the PPPoE client interface
-Connection tracking enabled with default values

In the beginning, I thought the issue was on my mobile carrier…but testing with some other (cheap) routers, I’ve realized that the problem is gone…no more call drops or registry expiration.

The question is: may be the problem with RouterOS dealing with that IPsec tunnel between my iPhone and my mobile carrier? There is some NAT tweak to solve this kind of problem?

Thanks!

yottabit · September 7, 2020, 6:30pm

I have searched high and low, trying to figure out why an AT&T user using Wi-Fi Calling can no longer hear the remote party approximately 2-3 minutes after answering a call. (It seems to happen most often in the inbound direction, e.g., answering the call while using Wi-Fi Calling.)

I am unsure if it’s AT&T’s fault, or Apple iOS’s fault, but I have solved it. It seems to be the UDP connection tracking timeouts, associated with the phone’s IPSec tunnel to AT&T.

The default settings for udp-timeout and udp-stream-timeout are 10s and 3m, respectively.

I set them both to 6h after exhausting so many other settings, including IPSec firewall filter policies, fragmented packets in the filter and raw firewalls, UPnP, etc.

/ip firewall connection tracking set udp-timeout=6h udp-stream-timeout=6h

That solved the problem. Perhaps using a lower value than 6h would be fine, but I left it at 6h for now.

Next I will attempt to test whether this is an AT&T problem or an Apple iOS problem by verifying with my neighbors whether they use AT&T Wi-Fi calling with their Samsung Android phones.

inteq · September 7, 2020, 7:02pm

Using WiFi calling with default UDP timeouts and no problems here. Not with your provider tho.

2bn2t · March 2, 2022, 4:59pm

I’ve got similar troubles with iPhones and no special settings to help.

The Firewall is just pretty restriktive.

I feel like a Change from one AP to another triggers that for me.

Now I just set the UDP Timeouts to 1h and will test.

yottabit · March 2, 2022, 6:26pm

Sorry to say, this helped the situation but did not completely fix it. It seems the problem was triggered again whenever the user roamed between APs.

In the end, we had to turn on the Wi-Fi feature for their crappy AT&T U-verse gateway modem/router, and used a unique SSID so only the iPhones would connect to it. Everything else connects to MikroTik.

This is the only way we could solve the problem.

ajgnet · December 27, 2022, 3:31pm

Out of curiosity, are you using Unifi APs?