https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205163#M4077 <P>Yes, we completely disable the mobile access blade, enable the rule for direct access from the network under test to the internal network, and set the policy. After that, everything starts working and we can hear voice in both directions.</P> Tue, 06 Feb 2024 13:13:24 GMT Railx 2024-02-06T13:13:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205129#M4070 <P>Good afternoon.</P><P>We use SIP telephony via Mobile Access. Users connect to Capsule VPN and can use the mobile app to make calls to our internal numbers.</P><P>Ports 10000-20000 are used for this purpose.</P><P>Now we have a need to introduce additional telephony, which will work on ports 39960-40000.<BR />And there was a problem with that.<BR />The call goes through, the call is set, but the voice is not heard.</P><P>All necessary ports on the gateways are open.</P><P>Here are the results of our tests:<BR />1) SIP telephony works, which worked for us all the time at 10000-20000, does not work correctly on ports 399600-40000. The problem is the same, I can't hear the voice.</P><P>2) The new telephony has been switched to ports 10000-20000, everything works correctly, the call is set, the voice is heard.</P><P>3) We turned off the Capsule VPN for testing. Both SIP telephony and the new telephony work correctly on 10000-20000 and 399600-40000 ports.</P><P>Therefore, we conclude that Capsule VPN blocks ports 399600-40000, but we do not understand exactly how.<BR />Please help me with this, maybe someone has already met with this.</P> Tue, 06 Feb 2024 09:25:23 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205129#M4070 Railx 2024-02-06T09:25:23Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205136#M4071 <P>Ask CP TAC to resolve this !</P> <P>&nbsp;</P> Tue, 06 Feb 2024 10:48:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205136#M4071 G_W_Albrecht 2024-02-06T10:48:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205139#M4072 <P>Is this a different telephony vendor, how did you define the services compared to the previous ones and are back connections already enabled in global properties?</P> Tue, 06 Feb 2024 11:31:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205139#M4072 Chris_Atkinson 2024-02-06T11:31:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205151#M4073 <P>We used the old telephony on these ports for telephony only.<BR />What we are most interested in is why everything works fine when Capsule VPN is turned off. But as soon as we enable the VPN, the connection is established, voice UDP (RTP) packets are sent from the server side to the user side, but no voice is heard. We don't get any return voice packets either.</P> Tue, 06 Feb 2024 12:14:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205151#M4073 Railx 2024-02-06T12:14:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205154#M4074 <P>Wait...when you say you tested with turning off capsule VPN and it worked, what do you mean exactly by that? Capsule VPN is not blade itself, rather the app on the phone.</P> <P>Andy</P> Tue, 06 Feb 2024 12:21:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205154#M4074 the_rock 2024-02-06T12:21:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205155#M4075 <P>I apologize, yes you are right, I misspoke. We shut down MAB and checked.</P> Tue, 06 Feb 2024 12:26:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205155#M4075 Railx 2024-02-06T12:26:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205161#M4076 <P>No worries. Just to be 100% sure we are on the same page here, so you turned off mobile access blade on the fw, installed policy and then all worked fine?</P> <P>Andy</P> Tue, 06 Feb 2024 12:56:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205161#M4076 the_rock 2024-02-06T12:56:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205163#M4077 <P>Yes, we completely disable the mobile access blade, enable the rule for direct access from the network under test to the internal network, and set the policy. After that, everything starts working and we can hear voice in both directions.</P> Tue, 06 Feb 2024 13:13:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205163#M4077 Railx 2024-02-06T13:13:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205170#M4078 <P>You can try this...say port is 40000, run from expert -&gt; fw ctl zdebug + drop | grep "40000"</P> <P>this is when mobile access blade is enabled</P> <P>Andy</P> Tue, 06 Feb 2024 14:52:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205170#M4078 the_rock 2024-02-06T14:52:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205217#M4079 <P>Version/JHF of gateway?<BR />Version of Capsule client?<BR />What precise rules are being used to permit the traffic?<BR />Please provide screenshots (sensitive details redacted)</P> Tue, 06 Feb 2024 19:24:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Blocking-ports-39960-40000/m-p/205217#M4079 PhoneBoy 2024-02-06T19:24:24Z