This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mark_Edwards
Contributor
Tuesday

Incoming VOIP calls disconnect after 30/31 seconds

Hi all,

All of a sudden a customer is having issues with incoming VOIP calls (outgoing no issues).

Previously no issues and no changes on the firewall. 

You communicate for 30/31 seconds then the call are dropped.

Customer has an internal PABX with communicates with the VOIP provider's PABX.

If I change the SIP port on the rule that allows the external PABX to talk to the gateways external IP  (NAT to internal PABX) to use the pre-defined SIP port (with inspection) from a custom UDP 5060 port then the incoming calls are all good and don't disconnect.

However this breaks the audio on outgoing calls (both ways).

I have configured the rules/NATs as per the VOIP sk but that just makes it worse.

Current rules are like this:

Source                               Destination                     Service

Voip_provider_PABX --> Gateways_external_IP  udp_5060

                                     --> Internal_PABX_IP          udp_5060

 

Internal_PABX_IP  -->  Voip_provider_PABX         SIP_port

Internal_PABX_IP  -->  Voip_provider_RTP            udp range

 

NATs

Voip_provider_PABX --> Gateways_external_IP     udp_5060   translated destination = internal_PABX_IP 

Internal_PABX_IP  -->  Voip_provider_PABX           any port     translated source =  Gateways_external_IP 

Internal_PABX_IP  -->  Voip_provider_RTP           any port     translated source =  Gateways_external_IP 

 

Any ideas as seems to be a mis-configuration on the CP.

0 Kudos
8 Replies
AkosBakos
Advisor
Advisor
Tuesday

Hi @Mark_Edwards 

The VOIP is always naughty thing 🙂

First the general steps according to the  VOIP ARTG guide:

Disable all special/advanced features and Software Blades and re-test:

  • NAT
  • SecureXL
  • ClusterXL
  • VPN
  • etc.

"Previously no issues and no changes on the firewall. "

If not only the Firewall Blade is enabled, a good troubleshooting step can be to make a exception for this traffic on the Application Contron, URL Filtering blade, or in IPS etc.

I think there is no drop on SmartLog

Akos

----------------
\m/_(>_<)_\m/
Gaurav_Pandya
Advisor
Tuesday

In addition to the AKOS's suggestion, you can test with creating new service for SIP & UDP_5060 and select "match for any" option in those services. Create a rule with these custom services.

0 Kudos
Mark_Edwards
Contributor
Tuesday
In response to Gaurav_Pandya

Hi, I did try that.

It fixes the incoming calls but breaks the outgoing - no audio. 

Have tried various SIP ports, etc to no avail. 

0 Kudos
AkosBakos
Advisor
Advisor
Tuesday
In response to Mark_Edwards

Maybe involve TAC. There are a lot of unknown.

As I remember we had early NAT isssues in tha past. Sometimes some calls disconnected randomly. It was really tricky

The TAC helped us in the investigation, and they solved our problem.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
Tuesday

I can tell you every time I ever worked with customer that had voip issues, TAC gave us below:

https://support.checkpoint.com/results/sk/sk95369

Now, I dont expect you to go through the whole article (I dont think anyone ever has lol), BUT, here is one important thing I will say. In the old days of CP, most people would end up changing involved services to protocol none, rather than default one. So, say what you can do is clone sip, make sure poirt is 5060 and do below:

Screenshot_1.png

Hope that helps.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
Tuesday

Sounds like possibly some kind of delayed notification or timeout issue between the SecureXL connections table (fwaccel conns) and the INSPECT connections table (fw tab -t connections).  I'd suggest selectively disabling SecureXL for UDP/5060 (and any other related ports) to force all that traffic F2F and see what happens, see sk104468: How to exclude traffic from SecureXL.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mark_Edwards
Contributor
yesterday
In response to Timothy_Hall

Hi Timothy,

I see that this is already configured as they had VOIP issues when the gateways were first implemented (few years ago).

I do have a TAC logged, maybe they will resolve it. 

the_rock
Legend
Legend
yesterday
In response to Mark_Edwards

Did you try what I mentioned yesterday, with protocol none?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events