Solved: Re: skype for business issues

Shahar_Grober · ‎2019-05-10

Hi,

I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute.

The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped.

The topology is quite simple:

Polycom --> CP GW --> Internet --> Skype for Business online

some insights:

1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue

2. issue still occurs when disabling SecureXL so it is not a SXL issue

3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings

4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings

5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule

the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)

I see the following drops coming from Skype for business online IP range to the GW external IP address

My questions are:

Are there any best practices to configure Skype for business with Check Point

What is the recommendation for NAT with SIP?

Any insights on how to solve this issue

infosec · ‎2019-08-26

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

View solution in original post

Jerry · ‎2019-05-10

hi mate

be4 we can give you a hint maybe first introduce your CP GW to us?

what is the os build ? best put here cpinfo -y all so we can advise accordingly.

imho this isn't about the NAT but either IPS or SecureXL (PXL?) but let's make a first things first.

versions matters !

Jerry

Shahar_Grober · ‎2019-05-10

R80.10 T_189

as I said IPS protections are excluded + the issue occurs when SecureXL is disabled so it looks like it is

PhoneBoy · ‎2019-05-10

VoIP Protections are not IPS but they are enforced in the firewall via the Inspection Settings.
Have you excluded these as well?

Shahar_Grober · ‎2019-05-11

I have mentioned that I have configured both IPS and Inspection exceptions just to make sure that the traffic is not dropped.

It looks like a NAT issue with UDP SIP Ports which make the returning connections not to be NATed and dropped by the stealth rule.

I have configured the following rule as follow:

src	dst	service	action
polycom with SFB	any	any	allow

Hide NAT is configured on the Polycom object

Did anyone have experience with how to configure NAT and Skype for business (And Yes, I have already involved TAC but I need a quick solution from someone with experience with such configuration)

infosec · ‎2019-05-20

Running the same kind of issue. Workarround found with the TAC: Disable the "cluster sync" for those UDP ports. Seems a bug is deleting UDP virtual sessions.

You should see drops for returning traffic (seen wrongly as new traffic) in your management logs or in fw ctl zdebug + drop | grep "IP of your RTP device".

Waiting a real fix from the CKP DEV team.

Shahar_Grober · ‎2019-05-23

Actually, the problem is with STUN protocol used by Skype for Business but not supported by Check Point

according to sk34538, which "suddenly" popped up in User Center

"Check Point Security Gateway does not support Session Traversal Utilities for NAT (STUN) server.

Check Point Security Gateway will pass and forward STUN traffic, but will not reply to STUN requests sent to the Check Point Security Gateway."

This requires to create manual rules to allow STUN traffic to traverse the GW or else they will be blocked by the stealth rule because the GW doesn't NAT this service

Skype for business is a widely used service. How come Check Point doesn't support it

@PhoneBoy

@Dima_M

WDYT?

PhoneBoy · ‎2019-05-23

STUN is meant to work around NAT.
However, it usually runs on the SIP proxy/server.
If we're not the SIP proxy, not sure how we'd support STUN beyond just manually mapping NAT ports.

In any case, the fact we don't proxy STUN at all, only pass it through, isn't particularly new.
The SK you mention was first created in 2008.

Shahar_Grober · ‎2019-05-24

The SK was not public and suddenly appeared in User Center (was edited in 13 may 2019).
SIP proxy servers are nice but they are overkill when you have Skype for business in cloud and Polycom devices with out of the box functionality to talk to MS cloud.

G_W_Albrecht · ‎2019-07-02

The missing STUN support as well as the mentioned sk are very very old, from 04-Mär-2008 ! Also consult sk108815: Basic VoIP debugging when phones located behind firewall and PBX is external, sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances and sk112354: How to allow Office 365 services in Application Control R77.30 and above !

CCSE CCTE SMB Specialist

Mark_Gurevich · ‎2019-07-02

Hi @infosec, could you please share SR number so we can check if the sympthoms we have are the same as on your side?

Thank you

infosec · ‎2019-08-26

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

Mark_Gurevich · ‎2019-09-02

Thanks for sharing! Same steps has solved the issue on our side

HeikoAnkenbrand · ‎2019-07-02

Hi @Shahar_Grober,

It is the old known SIP/RTP issue.

I think it is the same issue:

VoIP Issue and SMB Appliance (600/1000/1200/1400)

upmitnetworksec · ‎2019-10-15

Hello,

we are also facing the same Problem for stun .we have seen drops from Microsoft to gateway IP on the same source and destination Port which is 3478.

so anyone please tell me what we should do for this as users are facing skype call drops issue.

Equipe_Reseau2 · ‎2019-12-17

Hello,

Have exactly the same issue with Teams, i've try to disable the cluster Sync on my UDP3478-3481 port, check the keep connection open after policy installation... same issue.

Any idea ?

Shahar_Grober · ‎2019-12-17

sk34538
you have to bypass it by allowing this port explicitly since it is not NATed by the GW

Equipe_Reseau2 · ‎2019-12-17

Thanks, you mean i need to allow Microsoft 52.114.0.0/14 to allow my Public IP on UDP3478 and more ???

Shahar_Grober · ‎2019-12-17

Yes, you can use updateable objects if you use R80.20

Equipe_Reseau2 · ‎2019-12-17

No, i'm in R80.10 T225. I have Application filtering so i've allow Stun Application, it match but i always have drop UDP inbound sessions.
I have UDP 10400, 10500, 10600.... not only 3478 !! I can't allow that !!

Shahar_Grober · ‎2019-12-17

Unfortunately, this is the only way to allow STUN protocol.
If anyone has a better solution I will be happy to hear about it as well

skype for business issues

VSX bridge interface monitoring

Crash VPN if CPSM server is not available

Custom Application - RegEx implications - what's p...

SecureXL Forward to Virtual Machine

Netflow issue in Firewall of 77.30

Are you a member of CheckMates?