SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SIP voice service from l2 vlan to internet through SRX345

    Posted 06-05-2019 04:17

    Hi to all,

     

     I have a customer who has an SRX345 as a gateway. In its ge-0/0/1 interface has two vlan, the default vlan untagged and the voice vlan tagged. In the voice VLAN, the SRX acts as dhcp server for the phones addressment assignment. The address assignment is working properly and from the PBX we can ping the SIP provider. Also, the phones are able to reach the NTP servers in Internet.

    The issue is when I try to call to mobile phones, these calls must be made via SIP provider, but the SIP signaling is dropped with a time out (we can see this in the pbx logs), and the call fails...

    I have got configured the interface as you can see here:

     

        ge-0/0/1 {
            flexible-vlan-tagging;
            native-vlan-id 1;
            unit 0 {
                vlan-id 1;
                family inet {
                    address 172.16.1.1/24;
                }
            }
            unit 40 {
                vlan-id 40;
                family inet {
                    address 172.16.40.1/24;
                }
            }
        }
    vlans {
    VoIP {
    vlan-id 40;
    }
    }

    These two logical ports are the LAN and the VOIP vlans. These are in the trust zone (which its called "Internal"). Also there is an policy rule that permit all services from trust to untrust. If I search the flow in the logs, I can see this traffic permitted but the calls fails...

    Any idea why are failing the call signaling?? Is it correct this vlan definition?? Maybe, is there any other way to configure this scenario??

    Thanks in advance!!

    Kind Regards!!

    David.

     

     


    #SRX
    #voice_vlan
    #vlan


  • 2.  RE: SIP voice service from l2 vlan to internet through SRX345

    Posted 06-05-2019 10:51

    Hi dBabi

     

    Can you confirm if the SIP ALG is enabled:

     

       > show security alg status

     

    If yes, also share the following commands:

     

       > show security alg sip calls

       > show security alg sip counters

     

    I assume the SIP provider is located on the Internet, do you have any static NAT rule so that the SIP provider can contact your internal voice server:

     

       # show security nat

     



  • 3.  RE: SIP voice service from l2 vlan to internet through SRX345

     
    Posted 06-05-2019 19:35

    Hello,

     

    Thanks for the detailed explanation.

    > When you try calling mobile phones, could you please confirm the traffic flow?

    > Is this correct - Phone -> Local SIP Server -> SIP provider on the Internet

    > So this is Internal to Internal and then Internal to Untrust

    > The signalling is failing between the SIP server and SIP Provider right?

     

    ALG:

    > Trying to disable and enable the SIP ALG is a quick test to see if it helps resolve the issue 

        > set security alg sip disable

        > delete security alg sip disable

    > Please provide output of "show security flow session extensive <filters>" for the impacted flow

    > This will give details on the bytes exchange and if ALG is taking effect

     

    Config:

    > Since you are seeing a flow I do not doubt the configuration

    > FW is in an L3 mode, any reason why you have VLAN VoIP defined?

     

    PCAP:

    > A pcap is always useful when troubleshooting VoIP issues

    > Would you be able to collect one for the impacted flow? 

    > PCAP on SRX Branch - https://kb.juniper.net/InfoCenter/index?page=content&id=kb11709

     

    Regards,

     

    Vikas

     



  • 4.  RE: SIP voice service from l2 vlan to internet through SRX345

    Posted 06-06-2019 06:18

    Hi to all,

    I haven't got the SIP ALG enabled... Is it mandatory this to have this ALG enabled for the SIP signaling works??? If yes, I didn't know it...

    When I try to establish a call, I can see how the phone establishes the connection with call server and how the call server begins the signaling with the SIP provider (who is in Internet) but it never gets reply from it, so the call server replies with a time-out to the phone. But, if I try to ping the SIP provider's IP address from the call server, the SIP provider replies without any problems.

    I checked the configuration a lot ot times and I can't see any wrong, The ALG is unique thing which is missing...

    The reason for to configure this, our client (who have got installed the device) has an SSG140 now and this configuration works with problems... it should works in the SRX too, correct?? The SRX is not in production yet. If I change the connection (one port for LAN and one port for VLAN 40), will dissapear this issue?? In other many manufacturers this configuration works properly... I will try to do a PCAP for to troubleshoot this issue...

    Thanks for all!!

    Regards,

    David.



  • 5.  RE: SIP voice service from l2 vlan to internet through SRX345

    Posted 06-06-2019 15:33

    David,

     

    Can you enable the SIP ALG and make sure you have a static NAT rule so that your VOIP provider communicates with your internal server?

     

     



  • 6.  RE: SIP voice service from l2 vlan to internet through SRX345

     
    Posted 06-07-2019 03:57
    Hi,

    SIP ALG should be enabled by default. Can you please confirm?

    > show security alg status | grep SIP SIP : Enabled

    As I mentioned a quick check would be to try disabling if it is enabled and vice versa. PCAP and output of the "show security flow session extensive" will help.

    Regards,

    Vikas


    Juniper Public


  • 7.  RE: SIP voice service from l2 vlan to internet through SRX345
    Best Answer

     
    Posted 06-07-2019 03:03
    Hi, SIP ALG should be enabled by default. Can you please confirm? > show security alg status | grep SIP SIP : Enabled As I mentioned a quick check would be to try disabling if it is enabled and vice versa. PCAP and output of the "show security flow session extensive" will help. Regards, Vikas


  • 8.  RE: SIP voice service from l2 vlan to internet through SRX345

    Posted 06-08-2019 02:43

    Make sure the policy you have that permits the SIP traffic has the specific appropriate application set in the policy and is not being swept up by some general allow any rule.

     

    For the ALG to work you policy needs to match the voip application type so it is appropriately recognized and allows the necessary reverse traffic sessions.

     



  • 9.  RE: SIP voice service from l2 vlan to internet through SRX345

    Posted 06-16-2019 23:17

    Hi to all,

    sorry for the delay in my answer... The SIP calls are working after enabling the SIP ALG. But I don't know why didn't work before. All was configured properly... If the RTP traffic would hadn't worked but the signaling yes, I would have suspected but it didn't work nothing...

    Thanks for all!!!

    David.



  • 10.  RE: SIP voice service from l2 vlan to internet through SRX345

     
    Posted 06-17-2019 18:47

    Hi David,

     

    Thanks, glad it worked.

     

    ALG does a few other things as well apart from opening dynamic pinholes, like NAT of application headers as per Network Layer translation. Perhaps that is what fixed it in this case.

     

    Regards,

     

    Vikas