SRX

Expand all | Collapse all

RTP Stream

Jump to Best Answer
  • 1.  RTP Stream

    Posted 10-13-2019 01:48

    Hi

     

    I am having an issue passing RTP streams across a site-to-site VPN between an SRX340 and a SRX1500 which I would welcome advice on.

     

    My VPN is established and the routing is good. The network on the 340 can ping the phone system (Avaya) on the LAN of the 1500 and you can call between sites, however there is no speech. The security on both sides is open across the VPN and the ALG status on both is thus;

     

    DNS : Enabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Disabled
    MSRPC : Enabled
    PPTP : Enabled
    RSH : Disabled
    RTSP : Enabled
    SCCP : Disabled
    SIP : Enabled
    SQL : Disabled
    SUNRPC : Enabled
    TALK : Enabled
    TFTP : Enabled
    IKE-ESP : Enabled

     

    Any pointers would be welcome!



  • 2.  RE: RTP Stream

     
    Posted 10-13-2019 05:05

    As RTP streams are handled via the RSTP protocol, I suggest you to try to disable the RSTP alg on both firewalls for a start:

     

    set security alg rtstp disable

    Revert with the result and if it still doesn't work, please share Junos version running on both devices.



  • 3.  RE: RTP Stream

    Posted 10-13-2019 06:43

    Hello,

    Are the IP phones SIP or H.323?

    If H.323, have You seen this page with Avaya-specific info https://www.juniper.net/documentation/en_US/junos/topics/topic-map/alg-security-h323.html ?

     

     

    @jonashauge wrote:

    As RTP streams are handled via the RSTP protocol,


     

    Not only. SIP, H.323 also make extensive use of RTP and its companion RTCP.

    HTH

    Thx

    Alex



  • 4.  RE: RTP Stream
    Best Answer

     
    Posted 10-13-2019 17:34

    First make sure the IPSEC VPN is route based between the two sites so that detailed policies with the ALG can be applied.

     

    Then the key as Alex points out is to know if your Avaya system is SIP or H323.  Then with that knowledge to create the application specific policy for the for the traffic on the originator side of the calls.  This has to be for the specific application SIP or H323 and NOT application "any".  That is the only way the ALG gets engaged to allow the high port audio streams for the reverse direction on the call.

     



  • 5.  RE: RTP Stream

    Posted 10-14-2019 03:50

    Thanks for the replies!

     

    So after disabling RTSP at both ends, and changing my config from application 'any' to application 'junos-h323' the phones can now ring, however there is no speech between sites and no dial tone interestingly.

     

    The 340 is running 15.1x49-D150 and the 1500 the same - 15.1X49-D150

     

    Just to give a taster of the ACL at both ends (in both directions of course)

     

    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 match source-address Local
    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 match source-address Local2
    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 match destination-address Remote
    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 match destination-address Remote2
    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 match application junos-h323
    set security policies from-zone trust to-zone SE13QH policy vpn-tr-untr1 then permit

     

     



  • 6.  RE: RTP Stream

     
    Posted 10-15-2019 03:14

    The policy appears correct I assume it appears before any allow all policy so it can be engaged.  Assuming the Avaya call processor is also encompassed by the ip addresses in the two ranges you include for the phones.  If not you need to add an address object for the Avaya as well.

     

    You can confirm all the details of policy processing during a call attempt with this command.  It should verify you are hitting the correct policy and engaging the alg.  Run on the side where the call is initiated.

     

    show security flow session source-address 1.1.1.1 destination-address 2.2.2.2

     

    The alg stats are here

    show security alg h323 counters

     

    If these show that we are hitting the right policy and the alg then trace options might have more detail on the issue.  These configure to pull a detailed process on the flow.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

     

     



  • 7.  RE: RTP Stream

    Posted 10-16-2019 03:27

    **Solved**

     

    Ok, so running H323 over a VPN requires the disabling of both SIP ALG and H323 ALG

     

    ALG Status :
    DNS : Enabled
    FTP : Enabled
    H323 : Disabled
    MGCP : Enabled
    MSRPC : Disabled
    PPTP : Enabled
    RSH : Disabled
    RTSP : Disabled
    SCCP : Disabled
    SIP : Disabled
    SQL : Disabled
    SUNRPC : Enabled
    TALK : Enabled
    TFTP : Enabled
    IKE-ESP : Enabled

     

    Then I created a security policy as per the assitance on this thread for junos-h323 only (And then another policy for application 'any'

     

    I now have RTP in both directions. Thanks for everyones input.