[j-nsp] sip calls through srx fail after approx 15 min

Fri May 29 10:45:15 EDT 2015

So far the culprit appears to have been the NAT setup.  Contrary to my
understanding a source NAT with a 1:1 mapping does still seem to use PAT.
AFAICT there is no way to disable that for a single source NAT rule, only
for all source NAT.  This presumes that the 'security nat source
port-randomization disable' knob has the effect of disabling PAT on a 1:1
source nat.  I'm not able to test that as I'm relying on other source NATs
that I don't want to interrupt.  Anyway,  I updated my config to use static
NAT and we were immediately able to hold a test call for far longer than
15m (we let it go to 50m before we ended it).

We'll continue to test and monitor and I'll report back here if we have
issues.  thanks to everyone for their help!

-andy

On Thu, May 28, 2015 at 12:10 PM, Andy Litzinger <
andy.litzinger.lists at gmail.com> wrote:

> Hi Majdi,
>
> So are you saying that the sip alg can not be disabled?  Or that I won't
> be able to get sip to work through the SRX without using the alg?  Thanks
> for bringing up NAT, I did forget to mention our NAT setup.  The provider
> requires that NAT and not PAT is used.  I've accomplished that by source
> NAT for the pbx (perhaps I should switch to static NAT?).
>
> Presuming our provider has configured their SIP gateway to work properly
> with NAT and presuming I've configured NAT properly, are you saying there
> is no way make this work on the SRX with the sip alg disabled?
>
> here is my NAT setup:
>
> srx01> show configuration security nat
> source {
>     pool pool-avaya-public-nat {
>         address {
>             x.x.x.x/32;
>         }
>     }
>     rule-set internal-to-net {
>         from zone internal;
>         to zone external;
>         rule avaya-pbx-to-net {
>             match {
>                 source-address-name avaya-pbx;
>             }
>             then {
>                 source-nat {
>                     pool {
>                         pool-avaya-public-nat;
>                     }
>                 }
>             }
>         }
> proxy-arp {
>     interface ge-0/0/0.0 {
>         address {
>             x.x.x.x/32;
>         }
>     }
> }
>
> thanks,
>  -andy
>
> On Thu, May 28, 2015 at 11:41 AM, Majdi S. Abbas <msa at latt.net> wrote:
>
>> On Thu, May 28, 2015 at 11:36:20AM -0700, Andy Litzinger wrote:
>> >   We're configuring a new sip setup with a phone vendor.  The provider
>> pbx
>> > sits inside our network and makes connections out through our SRX to the
>> > provider sip gateways.  Calls are working, but seem to drop at or near
>> the
>> > 15 minute mark.  The provider is sure that it's a setting on the SRX.
>> The
>> > one issue we may have found is that it seems we might be having some
>> > trouble truly turning off the sip alg which is a requirement of the
>> > provider.  Despite our best efforts I continue to see sessions when I
>> issue
>> > the command 'show security flow session application sip'.  Firstly, am I
>> > correct in assuming that if I see a session here that it indicates the
>> sip
>> > alg is being used?
>>
>>         SIP is not NAT friendly, so you are using the ALG.  Now, as far
>> as tuning that ALG, start with adjusting the timeout beyond the 3600s
>> that most people use as their default:
>>
>> applications {
>>     application junos-sip {
>>         term t1 inactivity-timeout 7200;
>>     }
>> }
>>
>>         If you also experience one-way audio problems, you may need the
>> following as well:
>>
>> security {
>>     alg {
>>         sip {
>>             application-screen {
>>                 unknown-message {
>>                     permit-nat-applied;
>>                     permit-routed;
>>                 }
>>             }
>>         }
>>     }
>> }
>>
>>         Cheers,
>>
>>         --msa
>>
>
>