- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Dear Checkpoint Experts,
I am encountering a unique issue while connecting to one of the voice servers on UDP port 5060. The behavior observed in the logs is inconsistent:
I have attached a screenshot below for your reference.
Could you please guide me on how to resolve this issue? Your assistance would be greatly appreciated.
Best regards,
Hi,
Have you checked this sk already?
https://support.checkpoint.com/results/sk/sk114769
---------------------
Use this formula to tune the parameter that controls the interval at which re-INVITE messages (sip_expire):
Session-Expires * sip_expire / 100 < Min-SE
Where:
To determine the "Session-Expires" value in the SIP header, capture the SIP INVITE request and response:
Expert# cppcap -c 0 -f 'port 5060 and ((udp[20:4] = 0x52454749) or (udp[20:4] = 0x494e5649))' -o /var/log/sip-invite.pcap
Open the capture in Wireshark and filter for INVITE requests that contain a Min-SE value and INVITE responses that contain a Session-Expires value:
Filter= (sip.Request-Line ~ "INVITE" && sip.Min-SE) || (sip.Status-Code == 200 && sip.Session-Expires)
Review the data pane of the filtered packets for the value in the relevant fields:
Min-SE value from INVITE request:
Session Initiation Protocol (INVITE) → Message Header → Min-SE
Session-Expires value from INVITE response:
Session Initiation Protocol (200) → Message Header → Av-Global-Session-ID → Session-Expires
For example, if analysis of the SIP handshake determines that Session-Expires=120 and Min-SE=60, sane values for sip_expire
can be determined by solving for x in this inequality:
120 * x / 100 < 60
120 * x < 60 * 100
120 * x < 6000
x < 6000 / 120
x < 50
Therefore, a sane value for the sip_expire
kernel parameter in this example would be 45.
To check the current values of the kernel parameters on the Check Point Firewall:
Expert# fw ctl get int sip_max_reinvite
Expert# fw ctl get int sip_expire
Should modification of these kernel parameters prove necessary, refer to sk26202, or the Quantum Security Gateway Administration Guide for your version.
If, after tuning the sip_expire
parameter according to the configuration of your SIP implementation, you still observe intermittent drops of this nature, consider also tuning up the sip_max_reinvite parameter to allow for calls to be held longer.
Akos
I tried, but no packets were captured in the pcap file (zero packets). Traffic is continuously coming on port 5060.
I know in the old days of CP, people would use below method, though back then, it would say NONE (that exact word), now its bit different, but sort of same principle.
Andy
🖕True Story!
Fixed LOTS of issues that way back in R77 lol
sip-tcp already has the protocol signature disabled (at least in R82).
Does not seem to be the case in R81.20 (sip-tcp-proto), but in R82, I checked demo and its exact same thing.
Andy
How precisely are you capturing packets?
Hey @yourshamim , were you able to make any progress?
Andy
Not yet. I have raised a TAC case, and the TAC engineer is currently looking into it.
Please let us know the outcome.
Hey @yourshamim ...just wondering, are you able to try what was suggested with protocol none in the service and see if it makes any difference?
Andy
I ran the cppcap as indicated and am getting a failure for syntax. Ran it on a lab box same error. Is an interface required for the cppcap command?
cppcap -i eth1 -c 0 -f 'port 5060 and ((udp[20:4] = 0x52454749) or (udp[20:4] = 0x494e5649))' -o /var/log/sip-invite.pcap
Just use example from the site my colleague made while ago.
Andy
Something like below, but you can do your own filters.
cppcap -o test.pcap -i eth1 -f " host 1.1.1.1 "
cppcap -i any -c 0 -f 'port 5060 and ((udp[20:4] = 0x52454749) or (udp[20:4] = 0x494e5649))' -o /var/log/sip-invite.pcap
This looks like it worked, does the SK need to be updated to reflect the -i any?
Hi guys,
On the user's side, they restarted the server during troubleshooting. FW is getting a Virt Defrag Timeout error in the tracker and Zdebug. The tracker is receiving traffic on UDP port 0.
surprisingly TCPdump capture showing UDP port 5060. we have another round of troubleshooting call today with CP TAC and Avaya team.
Hey,
How is sip-tcp service configured atm? What does protocol option show?
Andy
I allowed service any at this moment for testing purposes.
Just an idea...did you try disable IPS blade as a test?
Got it. In that case, Im out of ideas, sorry 😞
You can allow traffic on port 0, FYI.
See: https://support.checkpoint.com/results/sk/sk27109
Thanks, @PhoneBoy . I will change the value and share the status update.
I changed the value to 1 through the set command but not Luck. same drop reason " Virt Defrag Timeout" and service UDP/0.
The fact you're hitting this error means you are receiving fragmented packets.
Prior to inspection, we "virtually reassemble" the packet in memory.
If we don't receive all the fragments for the packet in time, we generate a timeout message.
You can adjust the virtual defragmentation timeout setting.
While this is configured in the Threat Prevention settings, it's a Firewall setting, as is everything else in the Inspection Setting.
See: https://support.checkpoint.com/results/sk/sk65074
Ideally, though, you should figure out why you are receiving fragmented packets in the first place.
That is specific to the application/network and may indicate an MTU issue somewhere in the network path.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
17 | |
10 | |
6 | |
5 | |
5 | |
5 | |
3 | |
3 | |
3 | |
2 |
Thu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY