This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Railx
Explorer
‎2024-02-06 01:25 AM

Blocking ports 39960-40000

Good afternoon.

We use SIP telephony via Mobile Access. Users connect to Capsule VPN and can use the mobile app to make calls to our internal numbers.

Ports 10000-20000 are used for this purpose.

Now we have a need to introduce additional telephony, which will work on ports 39960-40000.
And there was a problem with that.
The call goes through, the call is set, but the voice is not heard.

All necessary ports on the gateways are open.

Here are the results of our tests:
1) SIP telephony works, which worked for us all the time at 10000-20000, does not work correctly on ports 399600-40000. The problem is the same, I can't hear the voice.

2) The new telephony has been switched to ports 10000-20000, everything works correctly, the call is set, the voice is heard.

3) We turned off the Capsule VPN for testing. Both SIP telephony and the new telephony work correctly on 10000-20000 and 399600-40000 ports.

Therefore, we conclude that Capsule VPN blocks ports 399600-40000, but we do not understand exactly how.
Please help me with this, maybe someone has already met with this.

0 Kudos
9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-02-06 02:48 AM

Ask CP TAC to resolve this !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-02-06 03:31 AM

Is this a different telephony vendor, how did you define the services compared to the previous ones and are back connections already enabled in global properties?

CCSM R77/R80/ELITE
0 Kudos
Railx
Explorer
‎2024-02-06 04:14 AM
In response to Chris_Atkinson

We used the old telephony on these ports for telephony only.
What we are most interested in is why everything works fine when Capsule VPN is turned off. But as soon as we enable the VPN, the connection is established, voice UDP (RTP) packets are sent from the server side to the user side, but no voice is heard. We don't get any return voice packets either.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-06 04:21 AM
In response to Railx

Wait...when you say you tested with turning off capsule VPN and it worked, what do you mean exactly by that? Capsule VPN is not blade itself, rather the app on the phone.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Railx
Explorer
‎2024-02-06 04:26 AM
In response to the_rock

I apologize, yes you are right, I misspoke. We shut down MAB and checked.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-06 04:56 AM
In response to Railx

No worries. Just to be 100% sure we are on the same page here, so you turned off mobile access blade on the fw, installed policy and then all worked fine?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Railx
Explorer
‎2024-02-06 05:13 AM
In response to the_rock

Yes, we completely disable the mobile access blade, enable the rule for direct access from the network under test to the internal network, and set the policy. After that, everything starts working and we can hear voice in both directions.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-02-06 05:52 AM
In response to Railx

You can try this...say port is 40000, run from expert -> fw ctl zdebug + drop | grep "40000"

this is when mobile access blade is enabled

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-06 11:24 AM

Version/JHF of gateway?
Version of Capsule client?
What precise rules are being used to permit the traffic?
Please provide screenshots (sensitive details redacted)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events