Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

skype for business issues

Jump to solution


Hi,

 

I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute. 

The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped. 

The topology is quite simple: 

 

Polycom --> CP GW --> Internet --> Skype for Business online 

 

some insights:

 

1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue 

2. issue still occurs when disabling SecureXL so it is not a SXL issue 

3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings 

4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings 

5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule 

the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)

I see the following drops coming from Skype for business online IP range to the GW external IP address 

photos.png

 

My questions are:

Are there any best practices to configure Skype for business with Check Point 

What is the recommendation for NAT with SIP?

Any insights on how to solve this issue

 

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Explorer

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

View solution in original post

0 Kudos
Reply
20 Replies
Leader
Leader

hi mate

 

be4 we can give you a hint maybe first introduce your CP GW to us?

what is the os build ? best put here cpinfo -y all so we can advise accordingly.

imho this isn't about the NAT but either IPS or SecureXL (PXL?) but let's make a first things first.

 

versions matters !

 

 

Jerry
0 Kudos
Reply
R80.10 T_189

as I said IPS protections are excluded + the issue occurs when SecureXL is disabled so it looks like it is
0 Kudos
Reply
Admin
Admin
VoIP Protections are not IPS but they are enforced in the firewall via the Inspection Settings.
Have you excluded these as well?
0 Kudos
Reply

I have mentioned that I have configured both IPS and Inspection exceptions just to make sure that the traffic is not dropped.

It looks like a NAT issue with UDP SIP Ports which make the returning connections not to be NATed and dropped by the stealth rule.

I have configured the following rule as follow:

srcdstserviceaction
polycom with SFBanyanyallow

 

Hide NAT is configured on the Polycom object 

Did anyone have experience with how to configure NAT and Skype for business (And Yes, I have already involved TAC but I need a quick solution from someone with experience with such configuration)

 

0 Kudos
Reply
Explorer

Running the same kind of issue. Workarround found with the TAC: Disable the "cluster sync" for those UDP ports. Seems a bug is deleting UDP virtual sessions.

You should see drops for returning traffic (seen wrongly as new traffic) in your management logs or in fw ctl zdebug + drop | grep "IP of your RTP device".

Waiting a real fix from the CKP DEV team.

0 Kudos
Reply

Actually, the problem is with STUN protocol used by Skype for Business but not supported by Check Point 

according to sk34538, which "suddenly" popped up in User Center 

"Check Point Security Gateway does not support Session Traversal Utilities for NAT (STUN) server.

Check Point Security Gateway will pass and forward STUN traffic, but will not reply to STUN requests sent to the Check Point Security Gateway."

 

This requires to create manual rules to allow STUN traffic to traverse the GW or else they will be blocked by the stealth rule because the GW doesn't NAT this service 

 

Skype for business is a widely used service. How come Check Point doesn't support it 

 

@PhoneBoy 

@Dima_M 

WDYT?

0 Kudos
Reply
Admin
Admin
STUN is meant to work around NAT.
However, it usually runs on the SIP proxy/server.
If we're not the SIP proxy, not sure how we'd support STUN beyond just manually mapping NAT ports.

In any case, the fact we don't proxy STUN at all, only pass it through, isn't particularly new.
The SK you mention was first created in 2008.
0 Kudos
Reply
The SK was not public and suddenly appeared in User Center (was edited in 13 may 2019).
SIP proxy servers are nice but they are overkill when you have Skype for business in cloud and Polycom devices with out of the box functionality to talk to MS cloud.
0 Kudos
Reply
Contributor

Hi @infosec, could you please share SR number so we can check if the sympthoms we have are the same as on your side?

Thank you

0 Kudos
Reply
Explorer

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

View solution in original post

0 Kudos
Reply
Contributor
Thanks for sharing! Same steps has solved the issue on our side
0 Kudos
Reply

Hi @Shahar_Grober,

It is the old known SIP/RTP issue.

I think it is the same issue:

VoIP Issue and SMB Appliance (600/1000/1200/1400)

0 Kudos
Reply

Hello,

 

we are also facing the same Problem for stun .we have seen drops from Microsoft to gateway IP on the same source and destination Port which is 3478.

 

 

so anyone please tell me what we should do for this as users are facing skype call drops issue.

0 Kudos
Reply
Participant
Hello,

Have exactly the same issue with Teams, i've try to disable the cluster Sync on my UDP3478-3481 port, check the keep connection open after policy installation... same issue.

Any idea ?
0 Kudos
Reply
sk34538
you have to bypass it by allowing this port explicitly since it is not NATed by the GW
0 Kudos
Reply
Participant
Thanks, you mean i need to allow Microsoft 52.114.0.0/14 to allow my Public IP on UDP3478 and more ???
0 Kudos
Reply
Yes, you can use updateable objects if you use R80.20
0 Kudos
Reply
Participant
No, i'm in R80.10 T225. I have Application filtering so i've allow Stun Application, it match but i always have drop UDP inbound sessions.
I have UDP 10400, 10500, 10600.... not only 3478 !! I can't allow that !!
0 Kudos
Reply
Unfortunately, this is the only way to allow STUN protocol.
If anyone has a better solution I will be happy to hear about it as well
0 Kudos
Reply