I need help with a VoIP/IPS problem

From what I have seen looking through as much of this groups as possible I probably don't need to add this disclaimer, but I will anyhow.  Please be gentle, I'm new. ;)

I am in the process of installing/testing a brand new XG 135 running the most current firmware (16.05.8 MR-8).

Most things I have been able to figure out and appear to be working correctly, but there are a few issues that are still causing issues.

Our office is running a VoIP system that is cloud-based with no physical phones, everything runs through softphones.

We seem to have no problems making outbound or inbound calls, but when we transfer a call from one user to another, the call doesn't hand off correctly.  The user is notified of the transfer, but cannot answer the call and it eventually drops to voice mail.

The only thing that I am seeing in the log files for the XG is this entry in the IPS log (which is why I put this question here):

Any ideas on what I can do to solve this problem?

  • Hi Kurt,

    you already got it ;)

    those Asterisk Loglines look as they could cause your problem.

    to verify you could disable IPS for that outbound Rule.

    after setting IPS to None for this rule please check your IPS and Firewall Log while testing your voice application.

    if this is the solution you can either correct your current IPS Policy by removing the Block for the Signature seen in Log or by building a new outbound FW Rule above your current with ips disabled and your Voip Provider specified as destination.

     

    Yours Lukas

  • In reply to lna:

    Turning off IPS seems to have corrected the problem.  I am currently using one of the default policies.  Is there an easy way to change the functionality/remove the block from just that one signature without it impacting all the other signatures in the policy?  A simple walkthrough or video would be helpful, but I have not found one of those yet.

    Edit:  I think I may have figured it out by looking at the built-in LAN TO WAN policy.  Do the rules work from the top down?  If I add a rule that contains just the signature that I wish to override and set the action to "allow packet", will that override the larger rule that has the same signature set to the recommended "drop packet" setting?

  • In reply to Kurt Bimler:

    Hi Kurt,

    you are right, just change the Build-in Rule (or clone and rename that everyone sees at a glance that you are working with a custom policy).

    the "more Secure but more to do" way is to clone the Policy with a allow that signature and than create a more specific Firewall Policy on top of your existing (first match) which allows traffic from your softphones to the Sip Provider using that new policy while every other device and destination uses the default policy.

    Kurt Bimler

    I think I may have figured it out by looking at the built-in LAN TO WAN policy.  Do the rules work from the top down?  If I add a rule that contains just the signature that I wish to override and set the action to "allow packet", will that override the larger rule that has the same signature set to the recommended "drop packet" setting?

     

  • In reply to lna:

    Thanks for all the help, Lukas.  I think this problem has been resolved, now to figure out a solution to the next issue...