Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 17496 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Vonage VOIP configuration

Nicholas StCyr

 Hello,

I've scoured through all the sophos, reddit and internet forums I can, but I'm at my wits end here.

Equipment: SG-125 (Latest Patches)
Internet Service: 1Gbps down, 50 mbps up (approximately)
Public IP Address Available: 5 total, 3 are available. 
VOIP/SIP Provider : Vonage
VOIP/SIP Ports: (From Vonage business site) Vonage Business Support
The following ports are suggested for OUTGOING internet communications from the SIP device to our servers:

DNS: Port 53 UDP
TFTP: Port 21, 69, 2400 UDP
HTTP: Port 80 UDP
NTP: Port 123 UDP
SIP: Port 5060 UDP
RTP: Port 10000-30000 UDP

The following ports are needed for INCOMING and OUTGOING Internet communications from and to Vonage devices and servers.

RTP (Voice) Traffic: Ports 10000-30000 UDP.
_________________________________________

So we're not experiencing complete failure as we can receive calls,  but rather the calls audio can be really glitchy, skippy, or audio will drop out completely. These phases seem to come and go with no real rhyme or reason. I'm not seeing any dropped packets, and if I run tcpdump udp portrange 10000-30000 I can see traffic is moving. 

Because vonage uses DNS Naptr, I can't make firewall rules to explicitly allow the traffic through from certain IP's. Same goes for the SIP helper, which is currently disabled. I reserved all the IP's for the VOIP phones in our DHCP and made this firewall rule.



Which is far from Ideal.

In the live firewall, I see the occasional entry like this:

.137 is indeed one of our Voip phones. 

 

IPS Is also disabled right now as part of the troubleshooting, because with it enabled, it seemed to make the situation much worse. 

 

EDIT:

 

Actually, I'm seeing dropped packets

Earlier UDP entry

 

I have no idea where to even start with this.



This thread was automatically locked due to age.
  • 0

    lookup for NAT traversal ports. I think the ports in red are for this purpose. Vonage thinks they have to deal with dump users who have rules any to any allow

    check this:

    voipstudio.com/.../

  • 0

    one question:

    Are you serious with 119 rules ?`[:)]

  • 0 in reply to Ol Deda

    Most of those are auto gen. We have 22 phase 1 tunnels, something like 100 phase 2s

  • 0

    Hi again, Nicholas,

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to the drop above.

    What do you learn from doing the rest of #1 in Rulz?

    Cheers - Bob
    PS Agreed with oldeda - that's a lot of rules on a 125.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Accepted packet:

    2018:03:22-00:00:36 zm-fw-01 ulogd[4923]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="119" initf="eth0" outitf="eth1" srcmac="80:5e:c0:01:36:0c" dstmac="00:1a:8c:46:f2:78" srcip="10.13.13.105" dstip="35.169.28.143" proto="6" length="917" tos="0x08" prec="0x60" ttl="63" srcport="12654" dstport="10002" tcpflags="ACK PSH" 


    Although looking at the logs, and wireshark, there doesn't seem to be any packet loss actually. Wiresharks RTP Decode show all the packets from Office Phone 1 --->Vonage--->Office Phone 2 are arriving. 

     

    There's nothing in the intrusion prevention/Threat protection logs. UDP Flooding is disabled. Application control is disabled.

    Just ran through rule 1, and subsequently rules 3-5 as well. 
    Application control log shows a lot of this:
    2018:03:22-11:09:53 zm-fw-01 afcd[19844]: vy_plugin: E: failed to parse DNS RR in answer section of length 38 at offset 30 [0E 5A 65 74 74 61 6D 65 64 2D 41 57 53 30 31 05 7A 65 74 74 61 05 6C 6F 63 61 6C 00 00 05 00 FE 00 00 00 00 00 00], unsupported resource records class (Success)

    This as well:

    2018:03:22-11:06:22 zm-fw-01 afcd[13818]:      RTP (nfmark 000001a7):    792 packets,  91 connections

    For good measure I checked rule 7 too.

    As far as the physical limitations of the sg125 go, if there's too many FW rules or dnats/snats will it really be problematic?

  • +1 in reply to Nicholas StCyr

    2018:03:22-00:00:36 zm-fw-01 ulogd[4923]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="119" initf="eth0" outitf="eth1" srcmac="80:5e:c0:01:36:0c" dstmac="00:1a:8c:46:f2:78" srcip="10.13.13.105" dstip="35.169.28.143" proto="6" length="917" tos="0x08" prec="0x60" ttl="63" srcport="12654" dstport="10002" tcpflags="ACK PSH"

    That's not the dropped packet from above at 14:50:49.

    I'll guess that you're only using Network Protection and don't plan to use Web Protection, so you should have no problems!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I know it wasn't a dropped packet! I was actually about to edit the post one last time but got pulled away from my desk.

     

    So actually speaking of web protection, I did enable the application control and now i'm monitoring the flow. We had a pretty open policy with our network(against my judgement). I explained that even though we have 1gbps, when we have lets say 5 active users scrolling through facebook which automatically loads videos as you scroll, we were seeing spikes of 400mbps which is more then enough to briefly degrade services in and out.

     

Unfiltered HTML