I have an employee who has recently switched to Xfinity cable service. Ever since they switched their internet service their work phones will not stay registered for more than about 3 minutes.
These same phones have been used on many ISPs without issues. The same config has been used behind multiple levels of NAT without issues.
She was fine, until she switched to XFinity.
Of course, XFinity support is absolutely worthless.
Anyone from XFinity Tier 3 or such that might be able to offer assistance?
I suspect it's something stupid with either NAT overload in the modem or the modem not keeping the SIP channels open.
I've tried playing around with registration times without any success. And again, we've never had issues with these phones or this setup with any other ISP.
Your message is timely for me. I literally have the exact same issue. I setup phones for my daughter’s home and she got Xfinity. Everything worked for a few minutes then I could not keep phones registered after.
Are you aware of whether or not Xfinity is doing CGNAT for either of you? Googling, I get conflicting results, some saying they use CGNAT, some saying they don't. If they do, I wonder if their CGNAT routers have SIP ALG enabled or disabled. Unfortunately, these are the sorts of questions I suspect first level support can't help you with.
Have not tried TLS... but yes I reduced the registration frequency to something absurd like 60 seconds and it still would timeout after about 3 minutes.
Two things that seem to help whenever I’m dealing with bizarre Comcast issues…have her call in and:
Ask for “Security Edge” to be disabled if it’s enabled (last time we did this Comcast told us they couldn’t permanently disable it unless we paid a lot more per month for service and it would automatically enable every reboot, but another rep permanently disabled it for us)
Ask them to disable “Smart Packet Detection” if she’s using a router that has that feature
Those two features seem to mess with a lot of traffic–specifically DNS (re-routing any unencrypted DNS request to Comcast’s own servers) and SIP.
Of course enabling TLS for your SIP connections would probably help significantly–not just with connectivity, but security.
At my previous MSP $dayjob, I ran into a few clients with Xfinity and
Spectrum who both would mess with our VoIP solution UNLESS we enabled
TLS SIP registration, we already used TCP on a non 5060 port by
default to help with UDP timeouts and such.
Now the RTP traffic could stay clear UDP, this was just the SIP part.
If you're using SRTP and passing keys in the SDP announcement, it would be rather pointless. I don't know how common it is to do the inline keying for SRTP which I understand is how VoLTE works, but seriously I can't imagine why anybody would not use SIPS: Nothing good came come of that.
Same experience here, with Comcast, at least 15 years ago. What was striking was that the tunnel had to be encrypted; plain old GRE tunneling worked for everything else, but GRE-encapsulated VoIP packets never arrived at the other end of the tunnel. We ended up just backhauling all traffic from (and to) that office over an encrypted tunnel to our nearby datacenter. Go figure. This was Comcast business service, with a publicly routed (i.e., not RFC 1918) /27 allocated to it.
None of this should be a surprise to anyone. Remember that Comcast was one of the earliest isps to do DPI at large scale with Sandvine in the early days. Today’s Comcast network has “smartedge” which is the latest flavor of deep packet interception and manipulation. Also remember isps are in the data aggregation business too.
Have you tried placing the CPE in “bridged" mode? It’s been a while since I’ve done anything with Comcast CPE, but I remember their CPE doing SIP ALG when acting as a router.