We have SIP phones(mostly yealink) and they are all in separate zone. It was very hard to make them working, we had to disable SIP, SCCP, Talk on SRX300, otherwise phones didn't register or unable to call. Phones are allowed to internet without any restriction and everything is NATed.
Users are complaining that time to time they don't hear the otherside or just hear some words but not all. Did you experince this on SRX? What is the best practive for VOIP phones on SRX?
Please se my ALG settings.
Thank you in advance.
Could you please provide me with the following inputs?
- First thing to do on such cases related to Softphones/VOIP Phones
- Be on Juniper recommended Junos version First
- Disable ALG if they are NAT'ed
- If you have test devices ( with Source and Destination IP),you can also see the packets with the flow traceoptions as well
In order for you to clearly capture,please configure on your machine the below configuration
set security flow traceoptions file voip-traceset security flow traceoptions file size 10mset security flow traceoptions file files 5set security flow traceoptions flag basic-datapathset security flow traceoptions packet-filter outgoing-audio protocol udpset security flow traceoptions packet-filter outgoing-audio source-prefix x.x.x.xset security flow traceoptions packet-filter outgoing-audio destination-prefix y.y.y.yset security flow traceoptions packet-filter incoming-audio protocol udpset security flow traceoptions packet-filter incoming-audio source-prefix y.y.y.yset security flow traceoptions packet-filter incoming-audio destination-prefix x.x.x.xcommit
- Either check it on the SRX itself
show log voip-trace
See if there is any drops
*** FYI This flow traceoptions might consume your CPU if you leave them on so you need to deactivate it once you captured the packet(The above KB link will help on how to do that)
I enabled the trace options like you suggested. Of course I see only match to outgoing-audio filter since there is no inbound-nat or security rule from Internet. I was using Cisco firewalls before and they were working well , these issues started after replacing them with Juniper. So please advise if I need to allow some ports from outside to inside?
Since these are SIP phones you will need to do two things.
1-enable the SIP ALG
This will automatically allow the inbound high ports for the audio stream
2-Create a specific outbound policy for the SIP phones to the internet and use the SIP application (not any) in this
This will let the ALG know that the traffic hitting the policy is SIP traffic and watch for the high port replies being the audio stream to allow the traffic
Hello Steve @spukula
thank you for your message. I tried to enable SIP when I first migrated to Junipers and phones didn't register to the ISP or weren't authorized to call (Call forbiden message on the screen). They started to work after I disabled the SIP and SCCP. That time also I allowed any. Do you think if I enable SIP and allow junos-sip I won't have these issues again?
The SIP ALG alone will not work.
You also need the matching policy using the sip application for the outbound phones for it to properly register the sessions.
THank you. I'll try that. I have a question before doing that. Users are complaining that they cannot hear the other side usually when they call the land lines but they can hear when they call the mobile phones.
We had similar issue with some of the phone models before because RTP Encryption was enabled, they worked after we disabled it on the phones.
Do you think this is still related to SIP ALG?
Thank you very much again.
One way only audio is one of the symptoms of the ALG not fully engaged.
What the ALG system actually does are these steps.
The outbound phone connection is seen by the policy that permits SIP from these devices.
The phone has a udp outbound stream that is also permited by that policy
The inbound udp stream would normally hit the inbound block pollicy. But the outbound policy tells the ALG to watch for this udp high port stream for this phone ip address and allows the connection inbound to work.
If you don't want to setup the policy plus ALG the alternative is to create an untrust to internal zone policy.
To do this you need to lookup from the SIP phone provider the udp port range used by the phones.
Then create an untrust to internal policy that permits the entire range inbound to the nat address destination that will be used by your SIP phones. This is less preferred because it opens the whole range all the time rather than pin holes on a per call basis but it will work.
Thank you for your messages. We have very simple topology, PCs and phones are connected to same cisco switch port, LLDP/CDP enabled and phones are in Phones zone (Please see attached.) Other info is below.
FIRMWARE version: JUNOS 15.1X49-D150.2
afw> show security alg status
fw> show security alg statusALG Status :DNS : DisabledFTP : EnabledH323 : EnabledMGCP : EnabledMSRPC : EnabledPPTP : EnabledRSH : DisabledRTSP : EnabledSCCP : DisabledSIP : DisabledSQL : DisabledSUNRPC : EnabledTALK : DisabledTFTP : EnabledIKE-ESP : Disabled
ONLY NAT - from inside to outside
set security nat source rule-set PHONES-nat-INTERNET from zone PHONESset security nat source rule-set PHONES-nat-INTERNET to zone INTERNETset security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match destination-address 0.0.0.0/0set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match destination-address-name internet-ipv4set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match application anyset security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat then source-nat interfac