Security

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-27-2022 07:51
    Hi, I'm new to Juniper firewalls still still trying to get across things.
    I've hit an issue an looking for some direction please.

    I have a SRX 345 (JUNOS17.4 i know its old but cant change it atm)
    General traffic is ok, But trying to get SIP going from Inside server to kit outside.

    I'm not sure if these errors are because of the SRX dropping due to miss-config or issues with the Audio setup.
    Errors on the logs:
    RT_ALG_NTC_PARSE_ERR: SIP ALF Process packet error 10.3.#.#/5068->10.1.#.#/5060
    RT_ALG_NTC_FSM_DROP: SIP ALG wont create call for ACK or Bye Request

    These are happening consistently and often  between the Audio device outside (10.3.#.#) to the SIP SRV inside (10.1.#.#)
     I enabled the ALG SIP permit Route & also the permit NAT. It hasnt helped, still can get a connection through.
    The SRX is the Router and the FWL, all inside VLAN have interface on the SRX.
    I am going to disable ALG tomorrow an see if that helps.
    Any assistance or ideas would be appreciated.

    thank you
    Dave

    ------------------------------
    DAVID JOHNSTON
    ------------------------------


  • 2.  RE: SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-28-2022 06:13
    I disabled SIP from the ALG and the events have stopped

    ------------------------------
    DAVID JOHNSTON
    ------------------------------



  • 3.  RE: SRX 345 - SIP Issues -- PARSE_ERR & FSM_DROP

    Posted 02-28-2022 19:55
    To effectively use the sip alg you also need to configure a specific policy that has the sip application match for your traffic.  This CANNOT be a general accept all policy.

    Once you have a specific policy with the application and the ALG enabled then the behavior of allowing all the sip related traffic will work as expected allowing the inbound reverse direction traffic associated with the sip protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------