Remote Extensions Dropping Calls


I have two remote extensions setup via a FQDN. Regardless of being connected to an extension or an outside phone call, the call will drop after 2-3 minutes. Every time. Any ideas why this might be happening would be appreciated.

Also, would using OpenVPN be a better way to connect these remote extensions? I had a site to site vpn going and don’t recall having this issues. I just don’t want an open site to site for only phone use.


Remote extensions should never be configured on public IPs, for safety and for obvious operating reasons. A vpn is definitely recommended.


Fair enough. Does GS Wave connect via OpenVPN? Or any other softphone app that works with a UCM62XX?


how to manage the VPN you have to see it yourself, any SIP softphone connects to a sip server if you set it up correctly.


I got GS Wave working with the iPhone VPN setup with the corporate L2TP/IPSEC vpn and the local IP for the softphone. It’s a bit cumbersome for low level users to remember where the VPN connection is before openning GS Wave.

With all that said, I am still not sure this corrects my remote users from being dropped from calls after 2 minutes. I will update after all is configured.


First check that the extension has NAT enabled.

Then, make sure your RTP and SIP ports are forwarded correctly to the UCM.

On the UCM, under PBX Settings -> SIP -> NAT, make sure your external host is set to the FQDN and that “Use IP in SDP” in checked.

Also, on the remote extension, NAT mode should be set to STUN, whether it’s a phone or GSWave.

@damiano70 Having a remote extension in STUN isn’t bad as long as your firewall is secured and the UCM protections are enabled and configured correctly. I have many remote extensions on many systems and never had issues.

Remote extension help

@fmarcoux96 thanks for the info. Everything is set up as necessary except the remote extensions had NAT Transversal set to No. So I changed it to STUN, and we will see how that goes.

I saw in a video produced by GS that if you set the RTP Keep Alive to 1 in the TOS setting you do not have to port forward the higher port numbers, I believe it was the BFCP ports. I will need to revisit that video. I have it set to 1 but I also have it port forwarding as well. Any feedback on that would be appreciated.


STUN should not be activated for remote users over VPN.
and the NAT must not be activated on the UCM side extension.


if you have activated the appropriate ACLs.


This is a challange ,How can this be done effectivly you cannot dissallow by protocol your only option is to disallow by Ip ranges. Being a mobile device his Ip with change often based on his location only option is to block Ip range based on geographic location block out enitre countries.

To effectively trouble shoot dropped called you must have a trace to look or you just going to be guessing.


If using a VPN, then STUN is not needed. The remote looks local to the PBX, but you MUST add the remote private IP into the PBX, SIP Setings, NAT and local network, If this is not done, then the PBX will assume the device to be external and will formulate the message to tell the remote device to use the UCMs public IP rather than its private (over the VPN).

Keep alives send a packet of data at regular intervals which forces the router to open the ports needed for SIP messaging. Forwarding ports does not rely on such and in the event of a re-invite that might change things, forwarding avoids the issue.


what does that have to do with what I wrote?


Hi if you can eloborate on how to activate approriate ACL on the server side as this with be the point where the connection will be allowed or denyed.

My understanding of ACl are that they are an additonal layer of security based on a set of created rules that act like a firewall you then assign this acl to a subnet

  1. Where do these acl exist in order to activate them
  2. So if activating then they already exist with this be the default rule with some changes or a custome rule and custom how to craft such a policy
  3. What with be apporiate… in this scenario has the Source Ip with constantly change.

I have found it easy to create ACL for internal use or where the socurce and destination IP is know . I am keen to get this correct so has to impplement better security in the future. how do you create a rule based on a changing Source IP

Thank you


ACLs are something else, if you want to help you have to give them advice, you don’t have to comment on me if you don’t even know what I’m talking about.
Thank you.


Telecom -

You are correct in that remote devices such as mobile phones will present a challenge. They may use Wi-Fi or cellular or even have an ISP that will only allow DHCP rather than static.

ACL is typically referred to as an “Access Control List”. The following offers a pretty good explanation of an ACL and Firewall.

I use the firewall and can set rules that will examine the packet and allow me to allow or deny access. The issue of course is that denying is based upon IP. So, you have to know, create or find out what IPs may be involved or, create a VPN solution. In the US, I can generally determine the IP ranges in use by many of the celllar carriers and can add these into my rules. While it may allow someone to still try and hack, not many will do so using cellular, but the risk is there.

The bottom line is that if possible, use a VPN, if not then find out and try and filter as much as possible to minimize the risk and then monitor to assess the vulnerabilities and close what you can.


FWIW, according to Grandstream, NAT should always be activated on the extension. On the the Trunk, it depends on the setup (in my experience it is always turned off). Of course, this assumes you have setup your SIP NAT setting correctly.


as long as the translation does not change the meaning of what I said, I mean that the NAT on the UCM side extensions should never be activated.


Came across this when I was doing my Cisco security cert.
Exactly acl = stateless and firewall = stateful

@ Damino " if you want to help you give advice." so I ask you again .Since you failed to calrify what do you mean by activate the apporiate ACL Do not assume you talking to fools all of the time please sir I am more than capable of undersanding what you talking about threfore I asked you what is your idea of actiavting the appropriate ACL rules. peharphs post an example of such a rule so that you may assit the OP with his problem. I see no harm in asking you what are the apporpirate rules since has you say you give advice to help so your solution was not complete. I hope this now helps you to help others thank you. I await to see what an apporiate rule looks like to relosve OP orignal issue and you can be sure that i will undertsand you.


And I am saying that the Official Grandstream recommendation is that it should always be on.

Enough said.


if I have well understood the NAT on the UCM side extensions according to what you say should be active both if an extension is local and remote?

Just so you know, I mean the NAT on the screen below: