Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SilviuBiden
Explorer

SIP Traffic droped

Hi

From the begining, I'm networking guy not "VoIP telephony" guy.

One VPN is fully functional, except SIP Traffic. My host sends SIP Invite. Packet arrive to destination. The other host Answer to SIP invite, but the pachet is dropped on checkpoint site. I ran fw ctl zdebug drop | grep d.d.d.2 
Packet proto=17 a.a.a.2:5060 -> d.d.d.123:5066 dropped by fw_one_way_enforcement Reason: conn oneway violated

What I did: I defined a rulebase traffic between hosts to be accepted on custom defined services on UDP port 5060 and 5066. I unchecked "MatchAny" on custom service definition and also I checked "Accept Replies".

I put in exception for traffic inspection... nothing is working.

What shall I do more?

0 Kudos
14 Replies
the_rock
Legend
Legend

I know, I feel the same, haha. VOIP has to be my least favorite "subject" when it comes to any vendor, honestly. I hate to tell you this, but if you have TAC case going on, I am 100% positive they will ask you to review below and see what applies to you:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Now, let me take a "stab at this". So, logically, based on your drop message, we can see its dropping traffic on port 5066, since all we really care is destination port. Can you send a screenshot how you defined it?

0 Kudos
SilviuBiden
Explorer

Hi

 

I read that SK several times...

in the attachement you may find port description. with protocl SIP or without protocl SIP the message is the same.

 

0 Kudos
the_rock
Legend
Legend

Ok, so let me ask you this...which scenario from the sk applies to you?

0 Kudos
SilviuBiden
Explorer

SIP Proxy to SIP Proxy but there is no NAT involoved and communication between SIP proxies is thru a VPN. 

0 Kudos
the_rock
Legend
Legend

so 7-1-C section?

0 Kudos
SilviuBiden
Explorer

Yes. This is the section

0 Kudos
the_rock
Legend
Legend

Are you able to send rule screenshot please?

0 Kudos
SilviuBiden
Explorer

 
0 Kudos
the_rock
Legend
Legend

Services look different than whats defined in the sk.

Screenshot_1.png

In 2nd example, it only shows you would have single service as it defines word or, not and.

0 Kudos
SilviuBiden
Explorer

even with a single sip service, the error is the same

dropped by fw_one_way_enforcement Reason: conn oneway violated

0 Kudos
the_rock
Legend
Legend

Ok, fair enough...in that case, I would reach out to TAC to debug it further. That error, to me anyway, logically would indicate that it does not like something either about the service property settings and connection gets terminated. Please share here once you find the solution.

0 Kudos
SilviuBiden
Explorer

Thank you anyhow.

0 Kudos
the_rock
Legend
Legend

No worries. One other thing I would do is run fw monitor to make sure it takes correct path at least. If it does, then yea, Im pretty sure debugs might be needed.

Below is all I found on that error on support site, but Im sure you already seen those.

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events