SRX

Expand all | Collapse all

Tftp traffic for IPphone

Jump to Best Answer
  • 1.  Tftp traffic for IPphone

    Posted 03-21-2019 01:33

    Hi 

    I have a problem about TFTP traffic which is passed on firewall. 

     

    SIP server ---------------- FW ----------------- IPphone

     

    My IPphone will be assigned an IP address from Firewall. First step is IPphone must download firmware from SIP server. All traffic will be NAT (Source NAT + proxyARP and address persistant is enabled).  It seems like IPphone can't download firmware via TFTP. I captured packet. The output are below

     

    Capture1.PNG

     

    Please suggest me. 

     

     



  • 2.  RE: Tftp traffic for IPphone

     
    Posted 03-21-2019 03:01

    Looks like the icmp traffic is what is blocked while the tftp seems to be working.  Do you have ping allowed in the policy that permits the tftp traffic?

     



  • 3.  RE: Tftp traffic for IPphone

    Posted 03-24-2019 22:23
    Steve, Thank you for your answering

    I didn't allow ICMP within TFTP policy but i have default policy that allow all policy was applied at the last. Should I apply its within TFTP policy?


  • 4.  RE: Tftp traffic for IPphone

     
    Posted 03-25-2019 02:27

    From the view it looks like the icmp needs to be permitted in the opposite direction as the tftp download.  The policy would be from the server to the client in this case that is not working.

     



  • 5.  RE: Tftp traffic for IPphone

     
    Posted 03-24-2019 23:53

    I belive these ICMP messages are not a reply for an ICMP req, but rather the server informing that the port is not availabel, most possible reason is the server is busy. Can you share the complete pcap?



  • 6.  RE: Tftp traffic for IPphone

    Posted 03-25-2019 20:24

    Complete PCAP file is in link below (I can't attach file).

    https://drive.google.com/file/d/1rKgJo0P1MVRw9g4onExtMtP4ttrkVpUn/view?usp=sharing

     

    You can filter for TFTP only. And I already allow policy from server to client. There's no hit count.



  • 7.  RE: Tftp traffic for IPphone

    Posted 03-26-2019 00:02

    Updated 

    I move IPphone without NAT performing. It's working normaly. 

    Any ideas?



  • 8.  RE: Tftp traffic for IPphone

     
    Posted 03-26-2019 00:45

    can you collect "show security flow session source-prefix <iphone ip> destination-prefix <server IP>" in both scenarios



  • 9.  RE: Tftp traffic for IPphone

    Posted 03-26-2019 00:55

    Output are below.

     

    root# ...ion source-prefix 192.168.20.70 destination-prefix 10.105.62.53
    Session ID: 22061, Policy name: TFTP-outgoing/7, Timeout: 60, Valid
    Resource information : TFTP ALG, 9, 0
    In: 192.168.20.70/1024 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2, Bytes: 156,
    Out: 10.105.62.53/69 --> 172.19.0.196/3179;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,

    Session ID: 22073, Policy name: TFTP-outgoing/7, Timeout: 18, Valid
    Resource information : TFTP ALG, 11, 0
    In: 192.168.20.70/1025 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 89,
    Out: 10.105.62.53/69 --> 172.19.0.196/23837;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
    Total sessions: 2

     

     

    root# ...ion source-prefix 10.105.62.53 destination-prefix 192.168.20.70
    Total sessions: 0

     



  • 10.  RE: Tftp traffic for IPphone

    Posted 03-26-2019 00:59

    What is tftp alg status? is it in disabled state? if yes, enable it and check

    show security alg status

     



  • 11.  RE: Tftp traffic for IPphone

     
    Posted 03-26-2019 01:09
    I believe this is with NAT, do you have same for without NAT?


  • 12.  RE: Tftp traffic for IPphone
    Best Answer

     
    Posted 03-26-2019 03:04

    It looks like you are doing source nat on the IP phone is that correct?

     

    This would be why the reverse icmp traffic does not work.  The server is trying to ping the nat address and it would need a destination or static nat rule in place for that to work.

     

    Is that source nat required?

     



  • 13.  RE: Tftp traffic for IPphone

    Posted 03-27-2019 06:38

    Hi Spuluka,

    You're correct. I configured source NAT (pool) at first. It's till not working. Then I configure source NAT (1:1 mapping) with destination NAT instead of an old way. Problem is gone! 

     

    But mow, TFTP is done but IPphone still can't make a call. I think. Root cause is NAT. Could you suggest me what type of NAT is recommended for IP Phone? Source NAT or Static NAT?

     



  • 14.  RE: Tftp traffic for IPphone

    Posted 03-27-2019 06:47
    I believe port randomization is causing issue. It is enabled by default in source Nat and disabled in static Nat. You may verify this by disabling source Nat port randomization.



  • 15.  RE: Tftp traffic for IPphone

     
    Posted 03-27-2019 14:48

    Progress at least.

     

    Make sure your policy to allow the connection uses the specific application that matches your pbx system and not just the "any" application.  

     

    Then make sure the matching ALG for the pbx application is turned on for the SRX.

     

    This will allow the ALG to permit the random high ports for the call streams to occur for the calls to work.

     

    The alternative is to find the protocol (usually udp) direction and port ranges used by the calling protocol and setup policies that allow those streams to occur.