Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Collaborator
Jump to solution

Issues with VoIP in one of our office

Hi,

So we have one of our office which is connected to our other offices via S2S VPN. They have a Check Point 1530 running R80.20.05.

Their VoIP provider installed a server on the LAN, and it communicated with the trunk that is outside our network.

Enclosed  are the NAT rules created for them (where x.SIP.SERVER is the local device, VoIP_1x is the provider's device on internet and LU-xx-WAN-IP is our firewall's WAN IP).

The problem explained by our SIP provider, along with a suggestion :

Currently, if a call start ringing and the other party answer after more than 30 sec, the sip 200 OK is blocked by your router and the call is cancelled after 30 sec.

Could you increase udp conntrack timeout. I guess it's now setup to 30sec.
on linux, this is :
net.netfilter.nf_conntrack_udp_timeout = 30

net.netfilter.nf_conntrack_udp_timeout_stream = 180

If you could set it to 180 sec, this should be fine.

 

Do you happen to know what needs to be done on our Check Point firewall to solve their issue ?

Thanks in advance for your help

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

That is even easier - in this case, you can change this in the (duplicated) service itself that is used on the GW !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

7 Replies
PhoneBoy
Admin
Admin

I'm assuming the analog to this would be the virtual UDP Timeout (which is 40 seconds).
This is set in Global Properties > Stateful Inspection

G_W_Albrecht
Legend Legend
Legend

Check Point 1530 locally managed has it as Advanced Settings > Stateful Inspection - UDP virtual session timeout

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ob1lan
Collaborator

Unfortunately, this is centrally managed, so I don't have that setting in the list.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

That is even easier - in this case, you can change this in the (duplicated) service itself that is used on the GW !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ob1lan
Collaborator

Aahh ! I completely forgot about this ! Thanks for reminding me ! Indeed I can set a specific value for the Virtual session timeout from the service object itself 🙂

Screenshot 2021-05-04 at 10.45.55.png

Thanks a lot !!

0 Kudos
Ob1lan
Collaborator

Indeed, that was my guess, however changing that value from there will impact all our gateways (40+ worldwide). 

I wish there was an option to change the value only for that specific gateway...

0 Kudos
the_rock
Legend
Legend

Hm, as phoneboy said you can chanhe the timeout settings, but question is really do you see any drops on the CP firewall  at all? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events