ICE Restarts — NAT Traversal Stability Metric
Count ICE restart events during a call. ICE restarts indicate NAT rebinding, network path changes, or connectivity failures in SIP/VoIP infrastructure.
ICE Restarts
| Property | Value |
|---|---|
| Key | ice_restarts |
| Unit | Count |
| Type | Cumulative counter |
| Direction | Both |
| RFC | RFC 8445 Section 9 (ICE Restart) |
What It Measures
ICE Restarts counts the number of times ICE (Interactive Connectivity Establishment) connectivity checks were restarted during a call. An ICE restart means the current media path failed or was invalidated, and both sides had to renegotiate connectivity from scratch — gathering new candidates, running connectivity checks, and selecting a new candidate pair.
Why It Matters
ICE restarts cause a media interruption of 500ms to several seconds while the new path is established. For enterprise networks with complex NAT topologies, firewalls, and VPN tunnels, ICE restarts are a leading cause of intermittent call drops that are invisible to traditional monitoring.
Network engineers testing SIP infrastructure across NAT boundaries need to know whether their NAT/firewall configuration holds up under sustained call duration. ICE restarts during a 10-minute test call mean production calls will experience the same disruptions.
Thresholds
| Level | Value | Meaning |
|---|---|---|
| Good | 0 | Connectivity stable throughout the call |
| Warning | 1 | Single restart — investigate NAT timeout or path change |
| Critical | 2+ | Repeated restarts — systematic connectivity problem |
What Causes ICE Restarts
- NAT mapping timeout. If STUN keepalives are not frequent enough, the NAT mapping expires and the media path breaks.
- Firewall state table overflow. Stateful firewalls with limited connection tracking may evict UDP entries under load.
- Network path change. BGP reconvergence, failover, or load balancer rehashing can invalidate the current path.
- VPN reconnection. VPN tunnels that drop and reconnect change the endpoint's IP address, invalidating ICE candidates.
How to Fix It
- Check STUN keepalive intervals. Ensure keepalives fire more frequently than your NAT's UDP timeout (typically 30-60 seconds).
- Test with longer call durations. Short tests may not trigger NAT timeouts. Run 15-30 minute tests to expose timeout-related restarts.
- Check firewall connection limits. During load tests with many endpoints, firewalls may run out of UDP connection tracking entries.
- Compare cloud vs. on-premise. If ICE restarts only occur with on-premise workers, the issue is in the enterprise network, not the SIP infrastructure.
Related Metrics
- DTLS Rehandshakes — DTLS renegotiation triggered by ICE restart
- Round Trip Time — RTT spike during and after restart
- Packet Loss Rate — Packets lost during the restart window
- SSRC Switches — Stream may restart with new SSRC after ICE restart