- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- skype for business issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skype for business issues
Hi,
I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute.
The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped.
The topology is quite simple:
Polycom --> CP GW --> Internet --> Skype for Business online
some insights:
1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue
2. issue still occurs when disabling SecureXL so it is not a SXL issue
3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings
4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings
5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule
the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)
I see the following drops coming from Skype for business online IP range to the GW external IP address
My questions are:
Are there any best practices to configure Skype for business with Check Point
What is the recommendation for NAT with SIP?
Any insights on how to solve this issue
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here is the ticket id : 6-0001628443
Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi mate
be4 we can give you a hint maybe first introduce your CP GW to us?
what is the os build ? best put here cpinfo -y all so we can advise accordingly.
imho this isn't about the NAT but either IPS or SecureXL (PXL?) but let's make a first things first.
versions matters !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as I said IPS protections are excluded + the issue occurs when SecureXL is disabled so it looks like it is
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you excluded these as well?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have mentioned that I have configured both IPS and Inspection exceptions just to make sure that the traffic is not dropped.
It looks like a NAT issue with UDP SIP Ports which make the returning connections not to be NATed and dropped by the stealth rule.
I have configured the following rule as follow:
src | dst | service | action |
polycom with SFB | any | any | allow |
Hide NAT is configured on the Polycom object
Did anyone have experience with how to configure NAT and Skype for business (And Yes, I have already involved TAC but I need a quick solution from someone with experience with such configuration)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running the same kind of issue. Workarround found with the TAC: Disable the "cluster sync" for those UDP ports. Seems a bug is deleting UDP virtual sessions.
You should see drops for returning traffic (seen wrongly as new traffic) in your management logs or in fw ctl zdebug + drop | grep "IP of your RTP device".
Waiting a real fix from the CKP DEV team.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, the problem is with STUN protocol used by Skype for Business but not supported by Check Point
according to sk34538, which "suddenly" popped up in User Center
"Check Point Security Gateway does not support Session Traversal Utilities for NAT (STUN) server.
Check Point Security Gateway will pass and forward STUN traffic, but will not reply to STUN requests sent to the Check Point Security Gateway."
This requires to create manual rules to allow STUN traffic to traverse the GW or else they will be blocked by the stealth rule because the GW doesn't NAT this service
Skype for business is a widely used service. How come Check Point doesn't support it
WDYT?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However, it usually runs on the SIP proxy/server.
If we're not the SIP proxy, not sure how we'd support STUN beyond just manually mapping NAT ports.
In any case, the fact we don't proxy STUN at all, only pass it through, isn't particularly new.
The SK you mention was first created in 2008.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP proxy servers are nice but they are overkill when you have Skype for business in cloud and Polycom devices with out of the box functionality to talk to MS cloud.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The missing STUN support as well as the mentioned sk are very very old, from 04-Mär-2008 ! Also consult sk108815: Basic VoIP debugging when phones located behind firewall and PBX is external, sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances and sk112354: How to allow Office 365 services in Application Control R77.30 and above !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @infosec, could you please share SR number so we can check if the sympthoms we have are the same as on your side?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here is the ticket id : 6-0001628443
Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Shahar_Grober,
It is the old known SIP/RTP issue.
I think it is the same issue:
VoIP Issue and SMB Appliance (600/1000/1200/1400)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
we are also facing the same Problem for stun .we have seen drops from Microsoft to gateway IP on the same source and destination Port which is 3478.
so anyone please tell me what we should do for this as users are facing skype call drops issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have exactly the same issue with Teams, i've try to disable the cluster Sync on my UDP3478-3481 port, check the keep connection open after policy installation... same issue.
Any idea ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have to bypass it by allowing this port explicitly since it is not NATed by the GW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have UDP 10400, 10500, 10600.... not only 3478 !! I can't allow that !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If anyone has a better solution I will be happy to hear about it as well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i've seen similar issue with microsoft teams, random audio freeze/disconnections. and logs of drops on incoming traffic from teams to Checkpoint GW Public Nat IP by port 3478. thanks R81.10 t78 GW.
i wonder if someone here have updated recommendation for this?
