Palo Alto Networks Knowledgebase: SIP sessions don't re-establish after ISP failover

SIP sessions don't re-establish after ISP failover

Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:03 AM


When testing multiple ISPs, single ISP failover, or real world ISP issue, all traffic works except SIP. The SIP will not re-establish between phone and server. 


This issue is most likely caused by stale sessions due to the default timeout values for SIP traffic. When an ISP failover occurs, these SIP sessions stay alive for 1 hour (3600 seconds) and all SIP traffic is trapped by this session.


To verify, go to an SIP session in the session browser and check the timeout value. It should show something like 3600. 


Go to Objects > Applications > SIP. Under TCP Timeout (seconds) change from 3600 to 10. The lowest as changing it to 3 will be changed to 30 seconds.


Change the UDP timeout to 10 seconds.


This will allow the session to timeout in 10 seconds and connect to the new secondary ISP quickly. Using defaults when recovering from an ISP failover would normally result in the same. Changing the timeout allows the session to timeout for the Primary ISP to resume control just as fast.


The phones will also need to have their timeout values adjusted as well to ensure the heartbeat does keep the already established session going or new ones will constantly be created and 10 second old ones will be torn down.

Clearing SIP server traffic sessions will also resolve the issue.

  • Print
  • Copy Link

Choose Language