[j-nsp] sip calls through srx fail after approx 15 min

Thu May 28 15:10:48 EDT 2015

Hi Majdi,

So are you saying that the sip alg can not be disabled?  Or that I won't be
able to get sip to work through the SRX without using the alg?  Thanks for
bringing up NAT, I did forget to mention our NAT setup.  The provider
requires that NAT and not PAT is used.  I've accomplished that by source
NAT for the pbx (perhaps I should switch to static NAT?).

Presuming our provider has configured their SIP gateway to work properly
with NAT and presuming I've configured NAT properly, are you saying there
is no way make this work on the SRX with the sip alg disabled?

here is my NAT setup:

srx01> show configuration security nat
source {
    pool pool-avaya-public-nat {
        address {
            x.x.x.x/32;
        }
    }
    rule-set internal-to-net {
        from zone internal;
        to zone external;
        rule avaya-pbx-to-net {
            match {
                source-address-name avaya-pbx;
            }
            then {
                source-nat {
                    pool {
                        pool-avaya-public-nat;
                    }
                }
            }
        }
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            x.x.x.x/32;
        }
    }
}

thanks,
 -andy

On Thu, May 28, 2015 at 11:41 AM, Majdi S. Abbas <msa at latt.net> wrote:

> On Thu, May 28, 2015 at 11:36:20AM -0700, Andy Litzinger wrote:
> >   We're configuring a new sip setup with a phone vendor.  The provider
> pbx
> > sits inside our network and makes connections out through our SRX to the
> > provider sip gateways.  Calls are working, but seem to drop at or near
> the
> > 15 minute mark.  The provider is sure that it's a setting on the SRX.
> The
> > one issue we may have found is that it seems we might be having some
> > trouble truly turning off the sip alg which is a requirement of the
> > provider.  Despite our best efforts I continue to see sessions when I
> issue
> > the command 'show security flow session application sip'.  Firstly, am I
> > correct in assuming that if I see a session here that it indicates the
> sip
> > alg is being used?
>
>         SIP is not NAT friendly, so you are using the ALG.  Now, as far
> as tuning that ALG, start with adjusting the timeout beyond the 3600s
> that most people use as their default:
>
> applications {
>     application junos-sip {
>         term t1 inactivity-timeout 7200;
>     }
> }
>
>         If you also experience one-way audio problems, you may need the
> following as well:
>
> security {
>     alg {
>         sip {
>             application-screen {
>                 unknown-message {
>                     permit-nat-applied;
>                     permit-routed;
>                 }
>             }
>         }
>     }
> }
>
>         Cheers,
>
>         --msa
>