[j-nsp] sip calls through srx fail after approx 15 min

Matthew Crocker matthew at corp.crocker.com
Fri May 29 09:49:06 EDT 2015



Ask your SIP provider how they want your firewall configured.    I want all SIP ALGs disabled, customers should run basic NAT and my Acme Packet SBC figures it all out.    Your mileage may vary but your SIP provider should provide ‘Hosted NAT Traversal’   HNT is the job of the session border controller.   Most firewall ALGs are complete garbage.

—

Matthew Crocker
President - Crocker Communications, Inc.
Managing Partner - Crocker Telecommunications, LLC
E: matthew at corp.crocker.com
E: matthew at crocker.com


> On May 28, 2015, at 2:36 PM, Andy Litzinger <andy.litzinger.lists at gmail.com> wrote:
> 
> Hi all,
>  We're configuring a new sip setup with a phone vendor.  The provider pbx
> sits inside our network and makes connections out through our SRX to the
> provider sip gateways.  Calls are working, but seem to drop at or near the
> 15 minute mark.  The provider is sure that it's a setting on the SRX.  The
> one issue we may have found is that it seems we might be having some
> trouble truly turning off the sip alg which is a requirement of the
> provider.  Despite our best efforts I continue to see sessions when I issue
> the command 'show security flow session application sip'.  Firstly, am I
> correct in assuming that if I see a session here that it indicates the sip
> alg is being used?
> 
> srx01> show security flow session application sip
> Session ID: 45838, Policy name: avaya-pbx-to-sip-ports/36, Timeout: 60,
> Valid
>  In: 172.x.x.x/5060 --> x.x.x.x/5060;udp, If: ge-0/0/1.24, Pkts: 3, Bytes:
> 2146
>  Out: x.x.x.x/5060 --> x.x.x.x/9675;udp, If: ge-0/0/0.0, Pkts: 3, Bytes:
> 1626
> Total sessions: 1
> 
> the sip alg counters(show security alg sip counters) aren't increasing, and
> turning on sip traceoptions isn't logging anything but the existence of the
> flow in the session table makes me suspicious.
> 
> I've attempted to disable use of the alg by doing the following:
> * disabling the alg globaly
> set security alg sip disable
> * create application groups that don't reference the alg
> * referenced those applications in the security policy that allows the pbx
> to contact the remote sip gateway
> 
> Is my sip alg truly disabled?  If so, any ideas why calls might be dropping
> at the 15m mark?  The phone doesn't actually disconnect, but the call stops
> working.
> 
> many thanks,
> -andy
> 
> Here's some relevant config snippets:
> 
> srx01> show security alg status
> ALG Status :
>  DNS      : Enabled
>  FTP      : Enabled
>  H323     : Enabled
>  MGCP     : Enabled
>  MSRPC    : Enabled
>  PPTP     : Enabled
>  RSH      : Enabled
>  RTSP     : Enabled
>  SCCP     : Enabled
>  SIP      : Disabled
> <snip>
> 
> srx01> show configuration applications application my-sip-tcp
> protocol tcp;
> destination-port 5060-5070;
> 
> srx01> show configuration applications application my-sip-udp
> protocol udp;
> destination-port 5060-5070;
> 
> srx01> show configuration security policies from-zone internal to-zone
> external policy avaya-pbx-to-sip-ports
> match {
>    source-address avaya-pbx;
>    destination-address sip-gateway;
>    application [ my-sip-udp my-sip-tcp ];
> }
> then {
>    permit;
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list