topic Re: SIP Traffic droped in Firewall and Security Management

SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 08:39:53 GMT

From the begining, I'm networking guy not "VoIP telephony" guy.

One VPN is fully functional, except SIP Traffic. My host sends SIP Invite. Packet arrive to destination. The other host Answer to SIP invite, but the pachet is dropped on checkpoint site. I ran fw ctl zdebug drop | grep d.d.d.2
Packet proto=17 a.a.a.2:5060 -> d.d.d.123:5066 dropped by fw_one_way_enforcement Reason: conn oneway violated

What I did: I defined a rulebase traffic between hosts to be accepted on custom defined services on UDP port 5060 and 5066. I unchecked "MatchAny" on custom service definition and also I checked "Accept Replies".

I put in exception for traffic inspection... nothing is working.

What shall I do more?

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 11:40:14 GMT

I know, I feel the same, haha. VOIP has to be my least favorite "subject" when it comes to any vendor, honestly. I hate to tell you this, but if you have TAC case going on, I am 100% positive they will ask you to review below and see what applies to you:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk95369

Now, let me take a "stab at this". So, logically, based on your drop message, we can see its dropping traffic on port 5066, since all we really care is destination port. Can you send a screenshot how you defined it?

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 11:47:04 GMT

I read that SK several times...

in the attachement you may find port description. with protocl SIP or without protocl SIP the message is the same.

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 11:49:32 GMT

Ok, so let me ask you this...which scenario from the sk applies to you?

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 12:10:26 GMT

SIP Proxy to SIP Proxy but there is no NAT involoved and communication between SIP proxies is thru a VPN.

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 12:30:08 GMT

so 7-1-C section?

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 13:18:50 GMT

Yes. This is the section

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 13:19:48 GMT

Are you able to send rule screenshot please?

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 13:42:44 GMT

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 13:48:58 GMT

Services look different than whats defined in the sk.

In 2nd example, it only shows you would have single service as it defines word or, not and.

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 14:31:18 GMT

even with a single sip service, the error is the same

dropped by fw_one_way_enforcement Reason: conn oneway violated

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 14:35:31 GMT

Ok, fair enough...in that case, I would reach out to TAC to debug it further. That error, to me anyway, logically would indicate that it does not like something either about the service property settings and connection gets terminated. Please share here once you find the solution.

Re: SIP Traffic droped

SilviuBiden — Fri, 02 Dec 2022 14:35:30 GMT

Thank you anyhow.

Re: SIP Traffic droped

the_rock — Fri, 02 Dec 2022 14:39:05 GMT

No worries. One other thing I would do is run fw monitor to make sure it takes correct path at least. If it does, then yea, Im pretty sure debugs might be needed.

Below is all I found on that error on support site, but Im sure you already seen those.

Re: SIP Traffic droped

PhoneBoy — Fri, 02 Dec 2022 23:49:08 GMT

Have you looked at; https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk31808&partition=Advanced&product=Quantum