Fault description:
The IPSec at the headquarters and branches was interrupted due to various reasons and the voice call failed to recover after recovery. It needs to be solved after restarting the firewall.
problem analysis
Before restarting, it was found through packet capture that after IPSec was restored, the voice traffic was still sent to the public network through SNAT by the firewall, and did not match the IPSec tunnel.
After analysis, it is known that when IPSec is disconnected due to some uncontrollable factors, normal phone UDP data packets may be SNATed to the public network to form a session (that is, a failed state). At this time, even if IPSec is restored, the failed communication session will always exist. Then the telephone communication will not be routed through the firewall, and the original (failed, transferred to the public network) session will be used directly, resulting in the phone being disconnected all the time. After restarting the firewall, it will return to normal. In this case, you can add "black hole " "Routing" , so that when IPSec is temporarily interrupted, the route will also be directed to be interrupted at the same time (to avoid IPSec calls taking public network routes)
processing method
WebUI directly adds black hole routing
CLI way to add
config router static
edit 1
set gateway x.x.98.249
set device "wan"
next
edit 2
set dst x.x.1.0 255.255.255.0
set device "dg-to-sz"
next
edit 3
set dst x.x.2.0 255.255.255.0
set device "dg-to-sz"
next
edit 4
set dst x.x.1.0 255.255.255.0
set distance 254
set comment "IPSec1黑洞路由_for_phone"
set blackhole enable
next
edit 5
set dst x.x.2.0 255.255.255.0
set distance 254
set comment "IPSec2黑洞路由_for_phone"
set blackhole enable