[j-nsp] sip calls through srx fail after approx 15 min

Andy Litzinger andy.litzinger.lists at gmail.com
Thu May 28 14:36:20 EDT 2015 

Hi all,
  We're configuring a new sip setup with a phone vendor.  The provider pbx
sits inside our network and makes connections out through our SRX to the
provider sip gateways.  Calls are working, but seem to drop at or near the
15 minute mark.  The provider is sure that it's a setting on the SRX.  The
one issue we may have found is that it seems we might be having some
trouble truly turning off the sip alg which is a requirement of the
provider.  Despite our best efforts I continue to see sessions when I issue
the command 'show security flow session application sip'.  Firstly, am I
correct in assuming that if I see a session here that it indicates the sip
alg is being used?

srx01> show security flow session application sip
Session ID: 45838, Policy name: avaya-pbx-to-sip-ports/36, Timeout: 60,
Valid
  In: 172.x.x.x/5060 --> x.x.x.x/5060;udp, If: ge-0/0/1.24, Pkts: 3, Bytes:
2146
  Out: x.x.x.x/5060 --> x.x.x.x/9675;udp, If: ge-0/0/0.0, Pkts: 3, Bytes:
1626
Total sessions: 1

the sip alg counters(show security alg sip counters) aren't increasing, and
turning on sip traceoptions isn't logging anything but the existence of the
flow in the session table makes me suspicious.

I've attempted to disable use of the alg by doing the following:
* disabling the alg globaly
set security alg sip disable
* create application groups that don't reference the alg
* referenced those applications in the security policy that allows the pbx
to contact the remote sip gateway

Is my sip alg truly disabled?  If so, any ideas why calls might be dropping
at the 15m mark?  The phone doesn't actually disconnect, but the call stops
working.

many thanks,
 -andy

Here's some relevant config snippets:

srx01> show security alg status
ALG Status :
  DNS      : Enabled
  FTP      : Enabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Disabled
<snip>

srx01> show configuration applications application my-sip-tcp
protocol tcp;
destination-port 5060-5070;

srx01> show configuration applications application my-sip-udp
protocol udp;
destination-port 5060-5070;

srx01> show configuration security policies from-zone internal to-zone
external policy avaya-pbx-to-sip-ports
match {
    source-address avaya-pbx;
    destination-address sip-gateway;
    application [ my-sip-udp my-sip-tcp ];
}
then {
    permit;
}

More information about the juniper-nsp mailing list