4.30 SIP ALG issues

Options
2»

Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @grokit  

    In our test scenario these kind the scenario the SIP OPTION are able forwarding to LAN side successfully

    Topology#1: Phone#A-------[LAN]------USG-----[Internet]-----SIP server & Phone#B

    Topology#2: Phone#A&B-------[LAN]------USG-----[Internet]-----SIP server

     SIP ALG setting:


    Here is the packets captured on USG:

    WAN side IP:


    LAN side packets:


    May we have a check on your packets? Please just feel free send me by private message.

  • grokit
    grokit Posts: 18  Freshman Member
    Friend Collector First Comment
    Options
    hi @Zyxel_Stanley
    Yes, this is exactly the same setup I have. All options and serttings identical. All traces look the same in my case. But only with FW 4.25.

    As soon as I install FW 4.30, 4.31 or 430AAPJ0ITS-WK10-r82493, I would not see the SIP Option packets on the LAN side anymore. Or to be more precise, I would see a few SIP Options only, probably the ones for which the SIP sessions were active.
    I would see, on the other hand, a lot of blocked incoming SIP in the firewall log. Blocked by the Default rule and obviously the SIP OPTIONS pakets for which there was no SIP session anymore. 

    With FW 4.25 I have about 20-30 open SIP sessions in session monitor at any time, and no blocked pakets in the firewall log.
    With FW 4.30 I see only half a dozen SIP sessions at any time, and lots of blocked packets in the firewall log.
    I did not check this with the other FW's.

    @R_I
    Reto, you mentioned you'd see the same behaviour than I see. Can you recall if you have seen lots of blocked incoming SIP packets in the firewall log too?


    Daniel
  • R_I
    R_I Posts: 2
    First Comment
    Options
    Daniel, I'm afraid I can't be of any help here; I had no time to investigate the problem and immediately switched back to 4.25.
    With 1 trunk connection (Aastra pbx to sipcall, 6 lines) my USG110 currently shows 24 open SIP sessions.
  • grokit
    grokit Posts: 18  Freshman Member
    Friend Collector First Comment
    Options
    Merci Reto,
    No Worries.. Thanks anyway.
    grüessli
    Daniel

  • TAPTech
    TAPTech Posts: 165  Master Member
    First Anniversary 10 Comments Nebula Gratitude Friend Collector
    Options
    We are seeing the same issues on a few of our USG60 devices with larger numbers of VOIP phones connecting to a cloud PBX.  We have all of the SIP ALG options disabled and have not had any problems before.  We get a large amount of blocked traffic coming back from the cloud PBX, it seems as if there is some problem with rport, but I am not sure.  I am in the process of reverting back to 4.20 as it is the only older firmware version that I have access to.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,374  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @TAPTech
    I will send you private message for check this issue more detail.
  • grokit
    grokit Posts: 18  Freshman Member
    Friend Collector First Comment
    edited September 2018
    Options
    hello @TAPTech
    thanks for sharing. please keep us up to date. Stanley is a good guy. he has given me quite some good information, although I was not yet able to test all of his hints. 
    dan
  • TAPTech
    TAPTech Posts: 165  Master Member
    First Anniversary 10 Comments Nebula Gratitude Friend Collector
    Options
    Hi @grokit
    Unfortunately I don't think my situation will help you much.  I found that our issue was not due to firmware.  After downgrading to 4.25, it still happens.  We were getting dropped calls, which were due to 3 of the SIP phones on the network having outdated SIP user passwords and failing to authenticate.  For whatever reason, this caused a lot of problems with the other 12 phones.  After resolving those issues, the problems went away.

    We were seeing phones that would not stay registered via keep-alive.

    WE STILL see some blocked traffic from the cloud VoIP PBX, but there are zero issues with calls.  So we will need to investigate that a little bit more.

Security Highlight