topic Re: inspection SIP - unidirectional traffic in General Topics

inspection SIP - unidirectional traffic

chico — Tue, 09 Jun 2020 14:28:47 GMT

Hello everybody,

We have softphones CISCO Jabber on our vpn devices and it's doesn't work well. We have some different scenarios and different behaviour for each scenarios.

The network topology is simple -> F5 client EDGE VPN -> GW Checkpoint 4800-> LAN

As below my checkpoint rule

SRC: SIP server; client VPN -> DST: Client VPN; SIP Server -> service: sip_dynamic_ports; sip-tcp

1 - I can etablish a call from my client jabber on the VPN device to my client jabber on my laptop (LAN) it's work fine

2 - But I can't etablish a call from my client jabber on my laptop to my client jabber on the vpn device it's doesn't work

I did a TCPDUMP on the SIP server and I can see that the SIP server send a "request: INVITE" but the client jabber never respond to the INVITE as shown on the capture below.

Maybe because de SIP packets are inspected and modified by the checkpoint ?? How can I verify if the SIP packet are inspected by checkpoint ? how can I completly desactivate the inspection SIP to be sure if the problem come frome to SIP inspection ?

In the checkpoint log on the dashboard I can see the REQUEST INVITE frome the SIP server but with a error message as below.

I tied to do the manipulation as mentionned by "Hugo_vd_Kooij" https://community.checkpoint.com/t5/Access-Control-Products/How-to-disab

le-SIP-ALG-inspection-in-a-specific-rule-in/td-p/25249

-I created a clone of sip-tcp service with "protocol" set to none and in the advanced "Match fo Any" but for the "sip_dynamic_ports" I can't change the advanced parameter "Match fo Any" ?

If someone as an idea about this problem ?

Regards,

Miguel

Re: inspection SIP - unidirectional traffic

_Val_ — Tue, 09 Jun 2020 15:24:56 GMT

Two questions:

1. Do you use office mode? If yes, do your office mode IPs are routed to VPN GW from SIP server?

2. Did you run drop debug and/or traces on GW side to see if GW is even receiving SIP packets sent to VPN client from SIP server?

Re: inspection SIP - unidirectional traffic

chico — Wed, 10 Jun 2020 08:17:01 GMT

Hello,

Hello thank you for your reply,

We use the Big-IP EDGE client in VPN alwaysON mode , I don't have any problem of routing. The server SIP can reach a vpn device.

Yes I did a fw monitor on the checkpoint gateway "fw monitor -e "host(X.X.X.X), accept;" but I have a lot of malformed packet and Packet size limited during capture. On the capture the gateway receive the SIP packet frome the SIP server (tcp sip dynamic port 54640) but the client VPN sent an RST packet ?

the log on the checkpoint gateway

The capture on the SIP server

Regards,

Miguel

Re: inspection SIP - unidirectional traffic

chico — Thu, 11 Jun 2020 12:41:31 GMT

Hello,

I remarqued that the signalisation SIP doesn't pass when the SIP server intiate a Request INVITATION with a dynamic tcp port.

1 - the client jabber on the local network initatie a SIP session on the port 5060 to the SIP proxy and I don't have any problem, accepted by checkpoint.

2- the SIP proxy initiate a connexion SIP with dynamique port destination to my vpn client jabber, at this time the signalisation packet doesn't arrive to the client.

I see that the packets are accepted by the checkpoint but I don't see any informations about SIP packet in the checkpoint log.

Re: inspection SIP - unidirectional traffic

Karan0587 — Tue, 14 Jul 2020 23:22:06 GMT

Hi Chico,
I am having same issues with below setup

Cisco Jabber/Webex teams running on VPN with office mode ---- Checkpoint 5600 -----LAN.

The issue when CUCM originates the signalling with dynamic TCP ports, the signalling fails.

Did you manage to resolve the issue ?

Re: inspection SIP - unidirectional traffic

chico — Thu, 23 Jul 2020 06:22:14 GMT

Hi Karan0587,

Yes I resolved the issue but the root cause came from our F5 proxy, we use a BIG-IP edge client and we had to Enable the settings "preserve Source Port Strict" otherwise the source port is changed by BIG-IP for optimisation.

Regards,