VOIP disable SIP ALG and NAT time-out

I am trying to have our VOIP devices fully functional but having trouble with VOIP services.

My VOIP provider tells me to disable SIP ALG (should not manipulate SIP headers) and set higer NAT time-out

The VOIP is based on BroadSoft/BroadWorks.

I have created a Group-Services with all these settings but for this moment I have allowed ANY-services and ANY-IP's

Where can I check SIP ALG en NAT time-out in v18 EAP2?

Because Packet Capture is not working in v18 EAP2 I can not use this.

In Logviewer I sometimes see:

log_component="Invalid Traffic" log_subtype="Denied" status="Deny"

fw_rule_id="0" nat_rule_id="0"

Firewallmessageid="01001"

dst_port="443"

out_interface=""   this is strange, few seconds later it is showing the WAN port2 en action is Allowed

Parents Reply Children
  • Hi Sop,

    The XG has no really further SIP manipulation systems than unloading the SIP ALG in the console.

    If you are having problems with the phones not pulling settings, make sure you have a firewall rule with no filtering for the appropriate targets.

    The XG will primarily cause issues with SIP quality (if SIP ALG is unloaded) whereas total inability to download or retrieve settings is likely to be firewall rules related.

    Emile

  • I went back on EAP1-Refresh1 and VOIP settings are loading fine.

    With EAP2 I did some TCPDUMP's but could not see any error, if someone at Sophos is interested in TCPDUMP I can send them.

    With EAP1-refresh1 I did not change SIP or NAT time-out, they are on default settings.

     

    These are my Firewall and NAT settings

    The NAT settings are linked and I use different WAN IP (translated source)

  • What exactly are the issues you're facing with VoIP?

    Are you having trouble with phones not being able to make calls or are they not provisioning correctly? That's two VERY different things. The configuration is pulled from the boot server often via HTTP(s)/FTP while SIP and RTP are used when the phone is making calls.

    "system system_modules sip unload" will permanently disable SIP on the XG. I won't automatically re-enable itself.

    Are you applying any IPS/Web Filtering/Application Filtering/SSL&TLS Decryption to this traffic? If so, please check the logs for each and post the settings.

  • Hi Sop,

        Thanks for your feedback, I will send you PM for more details purpose.