Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
chico
Contributor
Jump to solution

inspection SIP - unidirectional traffic

Hello everybody,

 

We have softphones CISCO Jabber on our vpn devices and it's doesn't work well. We have some different scenarios and different behaviour for each scenarios.

 The network topology is simple -> F5 client EDGE VPN -> GW Checkpoint 4800-> LAN

As below my checkpoint rule

SRC: SIP server; client VPN -> DST: Client VPN; SIP Server -> service: sip_dynamic_ports; sip-tcp

chkp_rule.png

 

1 - I can etablish a call from my client jabber on the VPN device to my client jabber on my laptop (LAN) it's work fine

2 - But I can't etablish a call from my client jabber on my laptop to my client jabber on the vpn device it's doesn't work

I did a TCPDUMP on the SIP server and I can see that the SIP server send a "request: INVITE" but the client jabber never respond to the INVITE as shown on the capture below.

TCPDUMP.png

 

 

 

 

 

 

Maybe because de SIP packets are inspected and modified by the checkpoint ?? How can I verify if the SIP packet are inspected by checkpoint ? how can I completly desactivate the inspection SIP to be sure if the problem come frome to SIP inspection ?

In the checkpoint log on the dashboard I can see the REQUEST INVITE frome the SIP server but with a error message as below.

chkp_log.pngchkp_log2.png

 

 

 

 

 

 

I tied to do the manipulation as mentionned by "Hugo_vd_Kooij" https://community.checkpoint.com/t5/Access-Control-Products/How-to-disab

le-SIP-ALG-inspection-in-a-specific-rule-in/td-p/25249 

-I created a clone of sip-tcp service with "protocol" set to none and in the advanced "Match fo Any"  but for the "sip_dynamic_ports" I can't change the advanced parameter "Match fo Any" ?

sip-tcp-clone_advanced.pngsip-tcp-clone_general.png

 

 

 

 

 

 

 

 

 

sip-dynamic_advanced.png

 

 

 

 

 

 

 

 

 

 

 

 

If someone as an idea about this problem ?

Regards,

Miguel

0 Kudos
1 Solution

Accepted Solutions
chico
Contributor

Hi Karan0587,

Yes I resolved the issue but the root cause came from our F5 proxy, we use a BIG-IP edge client and we had to Enable the settings "preserve Source Port Strict" otherwise the source port is changed by BIG-IP for optimisation.

 

Regards,

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin

Two questions:

 

1. Do you use office mode? If yes, do your office mode IPs are routed to VPN GW from SIP server?

2. Did you run drop debug and/or traces on GW side to see if GW is even receiving SIP packets sent to VPN client from SIP server?

0 Kudos
chico
Contributor

Hello,

Hello thank you for your reply,

We use the Big-IP EDGE client in VPN alwaysON mode , I don't have any problem of routing. The server SIP can reach a vpn device.

 

Yes I did a fw monitor on the checkpoint gateway "fw monitor -e "host(X.X.X.X), accept;" but I have a lot of malformed packet and Packet size limited during capture. On the capture the gateway receive the SIP packet frome the SIP server (tcp sip dynamic port 54640) but the client VPN sent an RST packet ?

the log on the checkpoint gateway

2020-06-10_10h05_17.png

The capture on the SIP servercucm.png

 

 

 

 

 

 

 

 

 

Regards,

 

Miguel

0 Kudos
chico
Contributor

 

Hello,

I remarqued that the signalisation SIP doesn't pass when the SIP server intiate a Request INVITATION with a dynamic tcp port.

 

1 - the client jabber on the local network initatie a SIP session on the port 5060 to the SIP proxy and I don't have any problem, accepted by checkpoint.

2- the SIP proxy initiate a connexion SIP with dynamique port destination to my vpn client jabber, at this time the signalisation packet doesn't arrive to the client. sip_.png

 

I see that the packets are accepted by the checkpoint but I don't see any informations about SIP packet in the checkpoint log.

__.png

0 Kudos
Karan0587
Explorer

Hi Chico,
I am having same issues with below setup 

Cisco Jabber/Webex teams running on VPN with office mode ---- Checkpoint 5600 -----LAN.

The issue when CUCM originates the signalling with dynamic TCP ports, the signalling fails.

Did you manage to resolve the issue ?

0 Kudos
chico
Contributor

Hi Karan0587,

Yes I resolved the issue but the root cause came from our F5 proxy, we use a BIG-IP edge client and we had to Enable the settings "preserve Source Port Strict" otherwise the source port is changed by BIG-IP for optimisation.

 

Regards,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events