This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2019-05-10 06:14 AM
Jump to solution

skype for business issues


Hi,

 

I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute. 

The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped. 

The topology is quite simple: 

 

Polycom --> CP GW --> Internet --> Skype for Business online 

 

some insights:

 

1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue 

2. issue still occurs when disabling SecureXL so it is not a SXL issue 

3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings 

4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings 

5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule 

the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)

I see the following drops coming from Skype for business online IP range to the GW external IP address 

photos.png

 

My questions are:

Are there any best practices to configure Skype for business with Check Point 

What is the recommendation for NAT with SIP?

Any insights on how to solve this issue

 

 

 

0 Kudos
1 Solution

Accepted Solutions
infosec
Explorer
‎2019-08-26 02:51 AM
In response to Mark_Gurevich
Jump to solution

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

View solution in original post

0 Kudos
21 Replies
Jerry
Mentor
Mentor
‎2019-05-10 06:37 AM
Jump to solution

hi mate

 

be4 we can give you a hint maybe first introduce your CP GW to us?

what is the os build ? best put here cpinfo -y all so we can advise accordingly.

imho this isn't about the NAT but either IPS or SecureXL (PXL?) but let's make a first things first.

 

versions matters !

 

 

Jerry
0 Kudos
Shahar_Grober
Advisor
‎2019-05-10 06:45 AM
In response to Jerry
Jump to solution

R80.10 T_189

as I said IPS protections are excluded + the issue occurs when SecureXL is disabled so it looks like it is
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-10 05:51 PM
In response to Shahar_Grober
Jump to solution

VoIP Protections are not IPS but they are enforced in the firewall via the Inspection Settings.
Have you excluded these as well?
0 Kudos
Shahar_Grober
Advisor
‎2019-05-11 07:03 AM
In response to PhoneBoy
Jump to solution

I have mentioned that I have configured both IPS and Inspection exceptions just to make sure that the traffic is not dropped.

It looks like a NAT issue with UDP SIP Ports which make the returning connections not to be NATed and dropped by the stealth rule.

I have configured the following rule as follow:

srcdstserviceaction
polycom with SFBanyanyallow

 

Hide NAT is configured on the Polycom object 

Did anyone have experience with how to configure NAT and Skype for business (And Yes, I have already involved TAC but I need a quick solution from someone with experience with such configuration)

 

0 Kudos
infosec
Explorer
‎2019-05-20 07:26 AM
In response to Shahar_Grober
Jump to solution

Running the same kind of issue. Workarround found with the TAC: Disable the "cluster sync" for those UDP ports. Seems a bug is deleting UDP virtual sessions.

You should see drops for returning traffic (seen wrongly as new traffic) in your management logs or in fw ctl zdebug + drop | grep "IP of your RTP device".

Waiting a real fix from the CKP DEV team.

0 Kudos
Shahar_Grober
Advisor
‎2019-05-23 12:33 AM
In response to infosec
Jump to solution

Actually, the problem is with STUN protocol used by Skype for Business but not supported by Check Point 

according to sk34538, which "suddenly" popped up in User Center 

"Check Point Security Gateway does not support Session Traversal Utilities for NAT (STUN) server.

Check Point Security Gateway will pass and forward STUN traffic, but will not reply to STUN requests sent to the Check Point Security Gateway."

 

This requires to create manual rules to allow STUN traffic to traverse the GW or else they will be blocked by the stealth rule because the GW doesn't NAT this service 

 

Skype for business is a widely used service. How come Check Point doesn't support it 

 

@PhoneBoy 

@Dima_M 

WDYT?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-23 03:25 PM
In response to Shahar_Grober
Jump to solution

STUN is meant to work around NAT.
However, it usually runs on the SIP proxy/server.
If we're not the SIP proxy, not sure how we'd support STUN beyond just manually mapping NAT ports.

In any case, the fact we don't proxy STUN at all, only pass it through, isn't particularly new.
The SK you mention was first created in 2008.
0 Kudos
Shahar_Grober
Advisor
‎2019-05-24 01:03 AM
In response to PhoneBoy
Jump to solution

The SK was not public and suddenly appeared in User Center (was edited in 13 may 2019).
SIP proxy servers are nice but they are overkill when you have Skype for business in cloud and Polycom devices with out of the box functionality to talk to MS cloud.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-07-02 04:02 AM
In response to Shahar_Grober
Jump to solution

The missing STUN support as well as the mentioned sk are very very old, from 04-Mär-2008 ! Also consult sk108815: Basic VoIP debugging when phones located behind firewall and PBX is externalsk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances and sk112354: How to allow Office 365 services in Application Control R77.30 and above !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mark_Gurevich
Contributor
‎2019-07-02 12:16 AM
In response to infosec
Jump to solution

Hi @infosec, could you please share SR number so we can check if the sympthoms we have are the same as on your side?

Thank you

0 Kudos
infosec
Explorer
‎2019-08-26 02:51 AM
In response to Mark_Gurevich
Jump to solution

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

0 Kudos
Mark_Gurevich
Contributor
‎2019-09-02 06:50 AM
In response to infosec
Jump to solution

Thanks for sharing! Same steps has solved the issue on our side
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-07-02 01:46 AM
Jump to solution

Hi @Shahar_Grober,

It is the old known SIP/RTP issue.

I think it is the same issue:

VoIP Issue and SMB Appliance (600/1000/1200/1400)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
upmitnetworksec
Explorer
‎2019-10-15 01:28 AM
In response to HeikoAnkenbrand
Jump to solution

Hello,

 

we are also facing the same Problem for stun .we have seen drops from Microsoft to gateway IP on the same source and destination Port which is 3478.

 

 

so anyone please tell me what we should do for this as users are facing skype call drops issue.

0 Kudos
Equipe_Reseau2
Participant
‎2019-12-17 05:51 AM
In response to upmitnetworksec
Jump to solution

Hello,

Have exactly the same issue with Teams, i've try to disable the cluster Sync on my UDP3478-3481 port, check the keep connection open after policy installation... same issue.

Any idea ?
0 Kudos
Shahar_Grober
Advisor
‎2019-12-17 05:54 AM
In response to Equipe_Reseau2
Jump to solution

sk34538
you have to bypass it by allowing this port explicitly since it is not NATed by the GW
0 Kudos
Equipe_Reseau2
Participant
‎2019-12-17 06:16 AM
In response to Shahar_Grober
Jump to solution

Thanks, you mean i need to allow Microsoft 52.114.0.0/14 to allow my Public IP on UDP3478 and more ???
0 Kudos
Shahar_Grober
Advisor
‎2019-12-17 06:18 AM
In response to Equipe_Reseau2
Jump to solution

Yes, you can use updateable objects if you use R80.20
0 Kudos
Equipe_Reseau2
Participant
‎2019-12-17 06:24 AM
In response to Shahar_Grober
Jump to solution

No, i'm in R80.10 T225. I have Application filtering so i've allow Stun Application, it match but i always have drop UDP inbound sessions.
I have UDP 10400, 10500, 10600.... not only 3478 !! I can't allow that !!
0 Kudos
Shahar_Grober
Advisor
‎2019-12-17 06:27 AM
In response to Equipe_Reseau2
Jump to solution

Unfortunately, this is the only way to allow STUN protocol.
If anyone has a better solution I will be happy to hear about it as well
0 Kudos
AmirArama
Employee
Employee
‎2023-03-27 01:07 AM
Jump to solution

Hi,

i've seen similar issue with microsoft teams, random audio freeze/disconnections. and logs of drops on incoming traffic from teams to Checkpoint GW Public Nat IP by port 3478. thanks R81.10 t78 GW.

i wonder if someone here have updated recommendation for this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events