This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SilviuBiden
Explorer
‎2022-12-02 12:35 AM

SIP Traffic droped

Hi

From the begining, I'm networking guy not "VoIP telephony" guy.

One VPN is fully functional, except SIP Traffic. My host sends SIP Invite. Packet arrive to destination. The other host Answer to SIP invite, but the pachet is dropped on checkpoint site. I ran fw ctl zdebug drop | grep d.d.d.2 
Packet proto=17 a.a.a.2:5060 -> d.d.d.123:5066 dropped by fw_one_way_enforcement Reason: conn oneway violated

What I did: I defined a rulebase traffic between hosts to be accepted on custom defined services on UDP port 5060 and 5066. I unchecked "MatchAny" on custom service definition and also I checked "Accept Replies".

I put in exception for traffic inspection... nothing is working.

What shall I do more?

0 Kudos
14 Replies
the_rock
MVP Gold
MVP Gold
‎2022-12-02 03:40 AM

I know, I feel the same, haha. VOIP has to be my least favorite "subject" when it comes to any vendor, honestly. I hate to tell you this, but if you have TAC case going on, I am 100% positive they will ask you to review below and see what applies to you:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Now, let me take a "stab at this". So, logically, based on your drop message, we can see its dropping traffic on port 5066, since all we really care is destination port. Can you send a screenshot how you defined it?

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 03:47 AM
In response to the_rock

Hi

 

I read that SK several times...

in the attachement you may find port description. with protocl SIP or without protocl SIP the message is the same.

 

Preview file
168 KB
Preview file
126 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 03:49 AM
In response to SilviuBiden

Ok, so let me ask you this...which scenario from the sk applies to you?

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 03:51 AM
In response to the_rock

SIP Proxy to SIP Proxy but there is no NAT involoved and communication between SIP proxies is thru a VPN. 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 04:30 AM
In response to SilviuBiden

so 7-1-C section?

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 05:18 AM
In response to the_rock

Yes. This is the section

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 05:19 AM
In response to SilviuBiden

Are you able to send rule screenshot please?

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 05:42 AM
In response to the_rock

 
Preview file
29 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 05:48 AM
In response to SilviuBiden

Services look different than whats defined in the sk.

Screenshot_1.png

In 2nd example, it only shows you would have single service as it defines word or, not and.

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 06:31 AM
In response to the_rock

even with a single sip service, the error is the same

dropped by fw_one_way_enforcement Reason: conn oneway violated

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 06:34 AM
In response to SilviuBiden

Ok, fair enough...in that case, I would reach out to TAC to debug it further. That error, to me anyway, logically would indicate that it does not like something either about the service property settings and connection gets terminated. Please share here once you find the solution.

0 Kudos
SilviuBiden
Explorer
‎2022-12-02 06:35 AM
In response to the_rock

Thank you anyhow.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-02 06:39 AM
In response to SilviuBiden

No worries. One other thing I would do is run fw monitor to make sure it takes correct path at least. If it does, then yea, Im pretty sure debugs might be needed.

Below is all I found on that error on support site, but Im sure you already seen those.

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-02 03:49 PM

Have you looked at; https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events