Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-27-2022 07:51
    Hi, I'm new to Juniper firewalls still still trying to get across things.
    I've hit an issue an looking for some direction please.

    I have a SRX 345 (JUNOS17.4 i know its old but cant change it atm)
    General traffic is ok, But trying to get SIP going from Inside server to kit outside.

    I'm not sure if these errors are because of the SRX dropping due to miss-config or issues with the Audio setup.
    Errors on the logs:
    RT_ALG_NTC_PARSE_ERR: SIP ALF Process packet error 10.3.#.#/5068->10.1.#.#/5060
    RT_ALG_NTC_FSM_DROP: SIP ALG wont create call for ACK or Bye Request

    These are happening consistently and often  between the Audio device outside (10.3.#.#) to the SIP SRV inside (10.1.#.#)
     I enabled the ALG SIP permit Route & also the permit NAT. It hasnt helped, still can get a connection through.
    The SRX is the Router and the FWL, all inside VLAN have interface on the SRX.
    I am going to disable ALG tomorrow an see if that helps.
    Any assistance or ideas would be appreciated.

    thank you
    Dave

    ------------------------------
    DAVID JOHNSTON
    ------------------------------


  • 2.  RE: SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-28-2022 06:13
    I disabled SIP from the ALG and the events have stopped

    ------------------------------
    DAVID JOHNSTON
    ------------------------------



  • 3.  RE: SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-28-2022 19:55
    To effectively use the sip alg you also need to configure a specific policy that has the sip application match for your traffic.  This CANNOT be a general accept all policy.

    Once you have a specific policy with the application and the ALG enabled then the behavior of allowing all the sip related traffic will work as expected allowing the inbound reverse direction traffic associated with the sip protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------