SRX

Expand all | Collapse all

Configure SRX300 to pass rtp

  • 1.  Configure SRX300 to pass rtp

    Posted 07-08-2017 01:17

    rtp failure.jpg

     

    I am having difficulty discovering what I need to do to configure the SRX300 to pass through rtp correctly.

     

    I have used the 3 scenaria diagrammed above to isolate the problem to the SRX300.

     

    To test what is occuring I use ConeHead (VLC Media Player) on a workstation (Win 10 Pro 64-bit). rtp://234.81.130.4:5802 is an unencrypted test feed, so it is easy to tell if all is correct.

     

    When I search the documentation for rtp I mostly find references dealing with VoIP.

     

    For testing purposes, the Playout Centre, like the Workstation, is in the trusted internal zone which permits ANY out to the internet.

     

    I'd be grateful for a pointer to what needs to be done.



  • 2.  RE: Configure SRX300 to pass rtp

     
    Posted 07-08-2017 07:35

    Hi Robin StClair,

     

    Please check the status of RTSP alg. 

     

    show security alg status 

     

    And enable RTSP alg if disabled. 

     

    Regards,

    Anand

    [KUDOS PLEASE! If you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 3.  RE: Configure SRX300 to pass rtp

    Posted 07-08-2017 08:53

    Hi Anand10

     

    As far as I can tell, RTSP alg is enabled - 

     

    admin@MartyMcFly> show security alg status
    ALG Status :
      DNS      : Enabled
      FTP      : Enabled
      H323     : Enabled
      MGCP     : Enabled
      MSRPC    : Enabled
      PPTP     : Enabled
      RSH      : Disabled
      RTSP     : Enabled
      SCCP     : Enabled
      SIP      : Enabled
      SQL      : Disabled
      SUNRPC   : Enabled
      TALK     : Enabled
      TFTP     : Enabled
      IKE-ESP  : Disabled
    

    I wonder what e;se it can be?

     

    Thanks for your help.



  • 4.  RE: Configure SRX300 to pass rtp

    Posted 07-09-2017 03:25

    I don't have experience with that protocol, but a little reasearch seems to indicate it needs to set up like it is using VoIP with a gateway. Take a look at this article and see if you can figure out something. The thing that bothers me about issues like this is it appears as though Juniper does not monitor these forums, so that problems like this can be addressed. Tell if the feature is suporterd, if not when, will t be, or publish an article on it.

    Currently I don't have access to an SRX that I could run some testing on.

    Try streaming the apps then see if this counter is showing any numbers.
    show security alg h323 counters

    Check out this guide and see if helps especially Chapter 9. Look at your NAT configuration and see if you persistent nat enabled.
    http://www.juniper.net/documentation/en_US/junos12.1x44/information-products/pathway-pages/security/security-alg-h323.pdf


    https://www.juniper.net/documentation/en_US/junos/topics/concept/alg-security-h323-understanding.html

    https://www.juniper.net/documentation/en_US/junos/topics/concept/alg-security-sip-understanding.html

    I found this interesting:
    Currently, Junos OS supports ”RTP” as the Application Layer transport protocol. The port number indicates the destination port of the media stream (the origin is allocated by the remote UA). The format list (fmt list) provides information on the Application Layer protocol that the media uses.

    The software opens ports only for RTP and Real-Time Control Protocol (RTCP). Every RTP session has a corresponding RTCP session. Therefore, whenever a media stream uses RTP, the SIP ALG must reserve ports (create pinholes) for both RTP and RTCP traffic. By default, the port number for RTCP is one higher than the RTP port number.
    You may even have to define a specific application,specify your RTP port ranges and use it instead of application any:

    applications {
    application sip-rtp {
    protocol udp;
    destination-port 10000-10511;
    }
    application sip-control {
    protocol udp;
    destination-port 5060;
    }



  • 5.  RE: Configure SRX300 to pass rtp

    Posted 07-09-2017 08:31

    Hi lyndidon

     

    Thank you for your well thought out and helpful response. I shall work my way through your suggestions, and report back accordingly.

     

    Worst case is that I packet capture on the switch and analyse what passes between the Playout Centre and the remote multicaster when it is working and then when it isn't working. But I'm a software designer not a network engineer, I'm not practiced at this.

     

    The sip configuration is very relevant because I am moving towards an all VoIP office environment, and I am going to have to get my head around this stuff sooner rather than later.

     

    I tried to submit a case to Juniper but they told me to naff off as my supplier is responsible for both hardware and software maintenance. I have asked the supplier to have a look at the problem, but I am not sanguine about the likely outcome, pre-sales their response to my questions was to merely restate my original question, I think this is a technique more usually encountered in offshore call centres.

     

    Your statement - "The thing that bothers me about issues like this is it appears as though Juniper does not monitor these forums, so that problems like this can be addressed. Tell if the feature is supported, if not when, will it be, or publish an article on it", really resonated with me. I've developed some significant systems, monitoring what the punters thought was always right at the top of the list. Some of my previous posts have deliberately contained statements that I had imagined would catch the attention of a Juniper Networks staffer.

     

    My gut feel is that the SRX300, with the most recent Junos release is almost brilliant, but I wonder if the developers really know what happens at the branch / SOHO level. For example, they have sensibly upgraded the the USB port to version 3, but neglected to add the LTE modem failback support, why else upgrade it? Considering the RFPs I've seen recently, what branch gateway would not support LTE?

     

    Thanks again for your interest.



  • 6.  RE: Configure SRX300 to pass rtp

    Posted 07-10-2017 11:00

    @lyndidon wrote:


    You may even have to define a specific application,specify your RTP port ranges and use it instead of application any:

    applications {
       application sip-rtp {
          protocol udp;
          destination-port 10000-10511;
       }
       application sip-control {
          protocol udp;
          destination-port 5060;
       }


    I haven't got as far, yet, as authorising access on an application by application basis ( I assume I know what I am doing, dubious, possibly, but that's the way it is). The Playout Centre does a large handful of different tasks, the one I am most interested in (rtp), doesn't traverse the SRX300, at the moment.

     

    How would I configure on a port or VLAN basis, rather than an application basis?

     

    I did suggest that I would ask dumb questions.