VOIP disable SIP ALG and NAT time-out

Sop Hos3 over 4 years ago

I am trying to have our VOIP devices fully functional but having trouble with VOIP services.

My VOIP provider tells me to disable SIP ALG (should not manipulate SIP headers) and set higer NAT time-out

The VOIP is based on BroadSoft/BroadWorks.

I have created a Group-Services with all these settings but for this moment I have allowed ANY-services and ANY-IP's

Where can I check SIP ALG en NAT time-out in v18 EAP2?

Because Packet Capture is not working in v18 EAP2 I can not use this.

In Logviewer I sometimes see:

log_component="Invalid Traffic" log_subtype="Denied" status="Deny"

fw_rule_id="0" nat_rule_id="0"

Firewallmessageid="01001"

dst_port="443"

out_interface="" this is strange, few seconds later it is showing the WAN port2 en action is Allowed

Parents

0 ReBorn over 4 years ago

Looks like the commands are still the same in v18

https://community.sophos.com/kb/en-us/123523

https://community.sophos.com/kb/en-us/127785

https://community.sophos.com/kb/en-us/131754
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sop Hos3 over 4 years ago in reply to ReBorn

Sorry, your commands did not work.

The VOIP phone did still not get all settings.

If there is no other solution I will get back to EAP1 and hope also Packet Capture is working again.

For disabling SIP is there also a permanent solution?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Emile Belcourt over 4 years ago in reply to Sop Hos3

Hi Sop,

The XG has no really further SIP manipulation systems than unloading the SIP ALG in the console.

If you are having problems with the phones not pulling settings, make sure you have a firewall rule with no filtering for the appropriate targets.

The XG will primarily cause issues with SIP quality (if SIP ALG is unloaded) whereas total inability to download or retrieve settings is likely to be firewall rules related.

Emile
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sop Hos3 over 4 years ago in reply to Emile Belcourt

I went back on EAP1-Refresh1 and VOIP settings are loading fine.

With EAP2 I did some TCPDUMP's but could not see any error, if someone at Sophos is interested in TCPDUMP I can send them.

With EAP1-refresh1 I did not change SIP or NAT time-out, they are on default settings.

These are my Firewall and NAT settings

The NAT settings are linked and I use different WAN IP (translated source)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bjoern Freiherr over 4 years ago in reply to Sop Hos3

What exactly are the issues you're facing with VoIP?

Are you having trouble with phones not being able to make calls or are they not provisioning correctly? That's two VERY different things. The configuration is pulled from the boot server often via HTTP(s)/FTP while SIP and RTP are used when the phone is making calls.

"system system_modules sip unload" will permanently disable SIP on the XG. I won't automatically re-enable itself.

Are you applying any IPS/Web Filtering/Application Filtering/SSL&TLS Decryption to this traffic? If so, please check the logs for each and post the settings.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Bjoern Freiherr over 4 years ago in reply to Sop Hos3

What exactly are the issues you're facing with VoIP?

Are you having trouble with phones not being able to make calls or are they not provisioning correctly? That's two VERY different things. The configuration is pulled from the boot server often via HTTP(s)/FTP while SIP and RTP are used when the phone is making calls.

"system system_modules sip unload" will permanently disable SIP on the XG. I won't automatically re-enable itself.

Are you applying any IPS/Web Filtering/Application Filtering/SSL&TLS Decryption to this traffic? If so, please check the logs for each and post the settings.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data