Our users have client software that connects to a third-party's SBC via SIP on UDP port 5060 over a site-to-site VPN tunnel to the third-party's firewall and we utilize manual Hide NAT rules to NAT the traffic behind a public IP address. The issue we have been experiencing is that clients initially connect but later an invite is sent from the SBC to the client, which never reaches the client and causing a disruption in connectivity. The SBC logs provided by the vendor, indicate a 408-request timeout when the issue occurs and it appears, looking at the checkpoint logs and packet captures, that the invite is sent directly to the public IP address our clients use for Hide NAT and not back to the client and therefore dropped by the firewall.

We have decided to now utilize the checkpoint SIP service object in the rule to see if that resolves the issue and it was indicated by Checkpoint tech support that I must use Auto NAT for the clients when using the SIP object in a rule. With the information above, any idea of what the cause might be, where I may look further and is it required to use Auto NAT rules for the clients when using the SIP object in a rule. One thing to note further, is that the clients initially connect in the morning but over time, usually hours later, the connectivity issues occur and then clear up hours later in the day. Also, it does not happen to all clients at the same time. Thanks