This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jason_Carrillo
Collaborator
‎2019-04-03 07:50 AM
Jump to solution

Wi-fi Calling

So, TL;DR:

1) Are there any settings, configurations, service modifications that will make Wifi calling work and work well?

2) Is there a way to prevent the firewall from remapping source ports in NAT, particularly for this UDP 500 and UDP4500 traffic?

Background:

I am having issues with one of my remote remote sites where the folks down there depend on wifi calling since cell service is so bad.

They've gone through quite a few network changes as of late, including a forklift replacement of their network with Aruba gear and a change of gateways from a 4200 appliance to a pair of 1490s. 

So, wifi calling sucks. Can't connect most of the time and when they do the quality is terrible. The firewall is allowing the UDP 500 and 4500 traffic out as expected but still they report issues. 

I found an article written by/for the SonicWall folks that claim that the changing of the source port during NAT will negatively affect Wifi calling. There is a specific setting that makes that traffic maintain its source port. I have ticket open with Check Point support, and they don't think that this port remap should be causing an issue, and since these folks were behind a different Check Point previously, I am inclined to agree. The local tech staff for the remote site are opening a ticket with the wireless vendor as well. But...

I'd still like to test and see if I can get it to improve. Unfortunately I can't find how to get the damned firewall from changing the source port. 

 

Thanks in advance.

Edit: They are on Aruba wireless not on the wireless on the appliance itself.

2 Solutions

Accepted Solutions
Jerry
Mentor
Mentor
‎2019-04-04 01:30 AM
Jump to solution

there is loads of aspects with regards to successful WiFi Calling mate, not CP only, also Wireless (especially Aruba with proper profiling etc. WiFi Calling uses udp high-ports not IPSec ports! Also note that WiFi calling depends on Mobile Operator as well. It isn't easy task to narrrow why WiFi calling as you said "sucks" - or rather "not work" but networkers and security guys like us should be capable of t-shooting it also involving tcpdump/fwmonitor tools in order to find where exactly and in which segment of our network something isn't properly configured/set/designed.

cheers
Jerry

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2019-04-03 05:14 PM
Jump to solution

The Check Point appliances might make a difference in this case as the 4200 and the 1490 run a different code base.
The behavior with SIP and NAT could be different as a result.

That said, you haven't provided any details about what kinds of issues people are reporting.
As a result, it's difficult to suggest any remediation steps.
I would be looking at packet traces from the gateway (e.g. using tcpdump) to see if there are any obvious issues (latency, packets getting dropped, etc).
I'd also be looking in the logs for any error messages that might provide a clue.
Jerry
Mentor
Mentor
‎2019-04-04 01:30 AM
Jump to solution

there is loads of aspects with regards to successful WiFi Calling mate, not CP only, also Wireless (especially Aruba with proper profiling etc. WiFi Calling uses udp high-ports not IPSec ports! Also note that WiFi calling depends on Mobile Operator as well. It isn't easy task to narrrow why WiFi calling as you said "sucks" - or rather "not work" but networkers and security guys like us should be capable of t-shooting it also involving tcpdump/fwmonitor tools in order to find where exactly and in which segment of our network something isn't properly configured/set/designed.

cheers
Jerry
Jerry
Mentor
Mentor
‎2019-04-04 01:31 AM
Jump to solution

ps. I've got my lab on HA 5600 and HA4800 and WiFi full-cisco with WLC and without and my WiFi Calling works like a charm 🙂
Jerry
Tommy_Forrest
Advisor
‎2019-04-04 04:10 AM
In response to Jerry
Jump to solution

I'm in the camp of WiFi calling just sucks through a 600 series FW.

 

Our enterprise class 15600's seem to be fine, though, with no complaints.

 

The phone will establish itself on WiFi, connect to Verizon and be all happy that life is going on.  Just over WiFi.

 

The problem is inbound calls do not complete (and go to a "this line isn't accepting calls right now" and outbound calls either take way too long to complete the phone gives up, or they won't even try to start until you turn off WiFi.


I haven't had time to troubleshoot it, so I just turned off WiFi calling for the time being.

Jason_Carrillo
Collaborator
‎2019-04-04 06:38 AM
Jump to solution

Our issues went from poor call quality, connection delays, to the issue where you could connect the call immediately, but then not have any sound.

We are all good now. Turns out the issue was on the Aruba side.

Unfortunately, because the site is remote I didn't realize that our Aruba implementers were doing work on the network and broke wifi calling completely somehow (connect but no sound). The local tech moved to another building, and it worked like it had previously, poor quality, delayed connection.

He texted me last night to tell me that it was working perfectly now. There was an ACL missing from each of the user roles that allows. When I find more information I'll share it as I know there are folks who use Check Point who are also implementing Aruba. Maybe they'll be able to help their network folks out when they start blaming the firewall....

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events