Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VoIP Issue and SMB Appliance (600/1000/1200/1400)

 

Issue description:

Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established.

Issue debug:

On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop

Issue message: fwconn_key_init_links (INBOUND) failed

Solution:

There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call:

  • Server for SIP (Management and control)
  • Server for RTP (Media and Voice Data)

Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance:

RTP rules:

  1. Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports.
  2. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports

SIP rule:

  1. Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060

 

Example:

 

A similar description can be found in SK104082.

 

Regards,

Heiko

21 Replies
Highlighted
Contributor

Here you can find the old comments to this article for the old version:

VoIP Issue and SMB Appliance (600/1000/1200/1400) [old] 

Highlighted
Explorer

It is a nice solution!

But it works!

THX

Afri

Highlighted
Participant

Is it correct to drop the rtp packets to the provider?

It is voodoo Smiley Happy

Regards

Hanko

Highlighted

Yes, it is VoIP Voodoo! 

It is correct! You need a drop rule!

Regards

Heiko

Highlighted
Participant

We have the same problem in Switzerland. Couldn't use the 1400 appliance for VoIP and used the 3000 appliance.
Blocking outgoing RTP packets has been helpful for us.

THX
Levin

Highlighted
Participant

This solution solves our issue.

Nice voodoo hack.

Regards

Joerg

Highlighted
Participant

Check Point not VooDoo:-)

Highlighted
Explorer

Yes, it solves pur issues.

thx

Highlighted
Explorer

Hi,

Heiko Ankenbrand Thanks for the tip much appreciated, after following the article we can get inbound call working with two way audio on a CP1430 appliance, however outbound audio does not work at all (appears the call is established), had quite a few CP tech's take a look but no real progress, does anyone have any ideas? Any help would be much appreciated.

MM

0 Kudos
Highlighted
Explorer

This hack works fine!

THX

Highlighted
Participant

This solution  works fine.

THX

Kai

0 Kudos
Highlighted
Collaborator

is this applicable to 2200 R80.30 also?
0 Kudos
Highlighted
Champion
Champion

For GAiA i would suggest R80.30 VoIP Administration Guide and sk95369: ATRG: VoIP

Highlighted
Explorer

is this applicable to Check Point 1490 Appliance Version: R77.20.31 (990170952) also?
Tks!
0 Kudos
Highlighted
Participant

What is the UDP High Port range mentioned that we create the service for in the 600/1000/1200/1400 firewall?  Which port numbers should we be using?

We are having one-way audio issues with a Cisco CUCM environment immediately after upgrading our 5600 series cluster from R77.30 to R80.20 a couple of days ago.  We have an open support case with CheckPoint support on this matter so still working through the issue.  

Our scenario is that we don't traverse the PSTN traffic through our primary 5600 cluster; all Phone traffic is internal with the exception we have 4 small remote offices that we extend our network to.  The remote offices are 600 series models.  The only devices on the remote side are 1-2 PCs and a couple of Cisco 7900 series phones at each location.  

Because of the VPN, we see a lot of encrypt and decrypt messages in the smart logs.  When issuing the fw ctl zdebug drop command, we aren't seeing 'like fwconn_key_init_links (INBOUND)' messages or similar.

Is it likely this fix would apply to my scenario where the Call routing and call control are housed behind the 5600 cluster?  

Highlighted
Collaborator

What if the problem is OUTBOUND?

I have a centrally managed 1430 with two phones behind it. The whole network that the phones are on is hidden behind the appliance. The first phone to register functions normally but the second one does not perform NAT on SIP payload packets. The following message appears on fw ctl zdebug drop: 

dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

The GW object in SmartConsole has the interfaces correctly defined, I have tried adding the GW in the destination column of the allow rule for the SIP traffic (some SK suggested this) and the SIP protocols are defined without specific protocol, accept replies and 'match for any'.

I cannot figure out a solution for this. It just suddenly stopped working after all being good for ages.
The appliance runs on R77.20.85 - Build 751

 

 

0 Kudos
Collaborator

I have solved this now.

We had previously created custom udp/tcp ports for SIP to make things work with this specific VoIP provider. In these custom protocols we left the protocol undefined and just entered the port ranges. This was to avoid problems with inspection that we had experienced in the past. Suddenly this problem with the 2nd-phone-to-register-does-not-get-it's-payload-NATed-issue appeared anyway. Finding no way forward with the current protocols I decided to try to clone the default SIP UDP object and enter the port range there and then change the inspection settings according to below:

default_inspection_SIP-General.PNG

nat-port.png

It was checkpoint support who gave me the idea. I had already told them that we don't inspect SIP because we don't use the standard protocol objects but when they suggeted this change despite the fact, I decided to change to the inspected object and try this and then rebooted the mgmt server and the appliance. So this was the solution.

Hope someone finds this before spending two days on the issue 😄

  

 

 

0 Kudos
Highlighted
Explorer

Can I configure call-in on checkpoint 1490 R77.20.31? currently blocking RTP with no sound.Tks!
0 Kudos
Highlighted
Champion
Champion

I would ask TAC for help !

0 Kudos
Highlighted
Explorer

I also had issues with VoIP (no Audio) on my 1530 FW, but once I set either:
URL Filtering only

or

On but without "Block security risk categories"

it works flawlessly!!

I thought "Block security risk categories" was based on URL filtering?

 

Marc

0 Kudos
Highlighted
Champion
Champion

It is application (traffic) and URL filtering based ! VoIP is a very broad theme, see sk95369: ATRG: VoIP 😎 I would contact TAC to resolve the issue - the alternative, defining an own set of categories, is rather time-consuming...

0 Kudos