SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX SIP Phone issues

    Posted 08-29-2019 06:57

    Hello All,

    We have SIP phones(mostly yealink) and they are all in separate zone. It was very hard to make them working, we had to disable SIP, SCCP, Talk on SRX300, otherwise phones didn't register or unable to call. Phones are allowed to internet without any restriction and everything is NATed.

     

    Users are complaining that time to time they don't hear the otherside or just hear some words but not all. Did you experince this on SRX? What is the best practive for VOIP phones on SRX?

     

    Please se my ALG settings.

     

    Thank you in advance.

    Isac

     

    h323h323mainmainsscpsscpsipsip

     


    #SIP
    #ALG
    #VoIP


  • 2.  RE: SRX SIP Phone issues

    Posted 08-29-2019 07:27

    Hi JPSec,

     

    Could you please provide me with the following inputs?

     

    • Junos version running on the SRX
    • May I know whether the NAT is happening on the SRX or on the downstream/upstream devices?
    • If NAT is happening on the SRX, is SIP ALG enabled?
    • What is the frequency of call disconnection or is there any pattern observed?
    • It would be great if you could share me the topology.


  • 3.  RE: SRX SIP Phone issues

    Posted 08-29-2019 15:28

    Hi JPSEC,

     - First thing to do on such cases related to Softphones/VOIP Phones 

       - Be on Juniper recommended Junos version First 

       - Disable ALG if they are NAT'ed

    -  If you have test devices ( with Source and Destination IP),you can also see the packets with the flow traceoptions as well

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32586&cat=SRX_3600&actp=LIST

     In order for you to clearly capture,please configure on your machine the below configuration 

     

    set security flow traceoptions file voip-trace
    set security flow traceoptions file size 10m
    set security flow traceoptions file files 5
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter outgoing-audio protocol udp
    set security flow traceoptions packet-filter outgoing-audio source-prefix x.x.x.x
    set security flow traceoptions packet-filter outgoing-audio destination-prefix y.y.y.y
    set security flow traceoptions packet-filter incoming-audio protocol udp
    set security flow traceoptions packet-filter incoming-audio source-prefix y.y.y.y
    set security flow traceoptions packet-filter incoming-audio destination-prefix x.x.x.x
    commit 

    - Either check it on the SRX itself 

    show log voip-trace 

    See if there is any drops

    *** FYI This flow traceoptions might consume your CPU if you leave them on so you need to deactivate it once you captured the packet(The above KB link will help on how to do that)

     

    Thanks,

    Sintayehu Garedew



  • 4.  RE: SRX SIP Phone issues

    Posted 09-02-2019 03:17

    Hello Sintayehu,

    I enabled the trace options like you suggested. Of course I see only match to outgoing-audio filter since there is no inbound-nat or security rule from Internet. I was using Cisco firewalls before and they were working well , these issues started after replacing them with Juniper. So please advise if I need to allow some ports from outside to inside?

     

    Thanks

    Isac



  • 5.  RE: SRX SIP Phone issues
    Best Answer

    Posted 09-02-2019 03:33

    Since these are SIP phones you will need to do two things.

     

    1-enable the SIP ALG

    This will automatically allow the inbound high ports for the audio stream

     

    2-Create a specific outbound policy for the SIP phones to the internet and use the SIP application (not any) in this

    This will let the ALG know that the traffic hitting the policy is SIP traffic and watch for the high port replies being the audio stream to allow the traffic

     



  • 6.  RE: SRX SIP Phone issues

    Posted 09-02-2019 04:53

    Hello Steve @spukula

    thank you for your message. I tried to enable SIP when I first migrated to Junipers and phones didn't register to the ISP or weren't authorized to call (Call forbiden message on the screen). They started to work after I disabled the SIP and SCCP.  That time also I allowed any. Do you think if I enable SIP and allow junos-sip I won't have these issues again?

     

    Thank you.

    Isac



  • 7.  RE: SRX SIP Phone issues

    Posted 09-02-2019 05:34

    The SIP ALG alone will not work.

     

    You also need the matching policy using the sip application for the outbound phones for it to properly register the sessions.

     



  • 8.  RE: SRX SIP Phone issues

    Posted 09-02-2019 07:33

    Hello Steve,

    THank you. I'll try that. I have a question before doing that. Users are complaining that they cannot hear the other side usually when they call the land lines but they can hear when they call the mobile phones.

    We had similar issue with some of the phone models before because RTP Encryption was enabled, they worked after we disabled it on the phones.

     

    Do you think this is still related to SIP ALG?

    Thank you very much again.

     

    Cheers,

    ISac



  • 9.  RE: SRX SIP Phone issues

    Posted 09-02-2019 10:31

    One way only audio is one of the symptoms of the ALG not fully engaged.

     

    What the ALG system actually does are these steps.

    The outbound phone connection is seen by the policy that permits SIP from these devices.

    The phone has a udp outbound stream that is also permited by that policy

    The inbound udp stream would normally hit the inbound block pollicy.  But the outbound policy tells the ALG to watch for this udp high port stream for this phone ip address and allows the connection inbound to work.

     

    If you don't want to setup the policy plus ALG the alternative is to create an untrust to internal zone policy.

    To do this you need to lookup from the SIP phone provider the udp port range used by the phones.

    Then create an untrust to internal policy that permits the entire range inbound to the nat address destination that will be used by your SIP phones.   This is less preferred because it opens the whole range all the time rather than pin holes on a per call basis but it will work.

     



  • 10.  RE: SRX SIP Phone issues

    Posted 09-02-2019 00:29

    Hello,

    Thank you for your messages. We have very simple topology, PCs and phones are connected to same cisco switch port, LLDP/CDP enabled and phones are in Phones zone (Please see attached.) Other info is below.

     

    Thanks again.

     

    FIRMWARE version:  JUNOS 15.1X49-D150.2

     

    ALG STATUS

     

    afw> show security alg status

    fw> show security alg status
    ALG Status :
    DNS : Disabled
    FTP : Enabled
    H323 : Enabled
    MGCP : Enabled
    MSRPC : Enabled
    PPTP : Enabled
    RSH : Disabled
    RTSP : Enabled
    SCCP : Disabled
    SIP : Disabled
    SQL : Disabled
    SUNRPC : Enabled
    TALK : Disabled
    TFTP : Enabled
    IKE-ESP : Disabled

    {primary:node1}

     

    ONLY NAT - from inside to outside

     

    set security nat source rule-set PHONES-nat-INTERNET from zone PHONES
    set security nat source rule-set PHONES-nat-INTERNET to zone INTERNET
    set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match destination-address 0.0.0.0/0
    set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match destination-address-name internet-ipv4
    set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat match application any
    set security nat source rule-set PHONES-nat-INTERNET rule PHONES-nat then source-nat interfacPhones.PNG