This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Howard_Gyton
Advisor
‎2019-02-18 01:33 AM

Advice invited on SIP configuration

Hi,

We have recently deployed replacement VOIP solution, replacing our analogue system.

This system is being routed via our firewall cluster and have noticed a number of things, like IPS blocks.  Those have been dealt with but we are still getting a large amount of dropped packets, due to "Re-invites exceed the limit", as detailed below.

VoIP calls are dropped with "SIP Re-Invites exceeded the limit" Reject Reason

We initially changed the mac invites limit from the default of 30 to 100 but all this has done is pushed out the period in which this event happens.  We also reduced the SIP expiry from the default of 66 to 50 and now 40 but this again has simply pushed out the period in between events.

I don't know what is considered a "sensible" or "healthy" setting for either of those two values, as in can the expiry be too short or the maximum invites be too high.

The other option is to change the defined service and set its protocol to "None", which I have not yet done.  Having the SIP traffic being inspected seems like a good idea, protection from call hijacking being one benefit.

There has been no observeable issue with these events happening though, but its something for us to continue to look into, I feel.

Howard

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-02-18 02:25 AM

I would involve TAC to resolve this - you are using R77.30 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Howard_Gyton
Advisor
‎2019-02-18 02:34 AM
In response to G_W_Albrecht

Hi Günther,

Yes, it's R77.30 but not the latest JHFA, we have take 286 installed on both cluster members.

0 Kudos
Howard_Gyton
Advisor
‎2019-03-18 02:05 AM
In response to Howard_Gyton

Installing Take 345 on to both cluster members seems to have corrected the issue.  We no longer see those messages.

0 Kudos
dawidek
Explorer
‎2024-04-12 01:00 AM
In response to G_W_Albrecht

Hello in 2024,

It seems that we are experiencing the same issue on our Check Point device R81.20 Take 43 with HotFix 610. The exact same issues described by Howard have taken place.
Do I have to make service request or maybe anyone knows faster path?

Regards,
Dawid 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events