Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 3 subscribers
  • Views 17983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SIP Trunk kann Verbindung nicht immer aufbauen

Leqtor

Guten Tag zusammen,

ich muss leider etwas ausholen, damit der Sachverhalt verständlich wird:

Gegeben ist eine UTM9 mit Firmware 9.506-2, 4x VDSL Uplink (statische IPs + Load-Balancing) und 1x Fritzbox mit externem SIP-Trunk.

 

Konkret passiert folgendes: Auf der Fritzbox ist ein SIP-Trunk von einem externen Anbieter eingerichtet. Der Trunk wird korrekt registriert, jedoch kommt es häufiger dazu, dass Rufe auf den SIP-Trunk scheinbar von der Firewall geblockt werden:

2017:12:01-13:02:33 utm-2 ulogd[7463]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp2" srcip="source" dstip="target" proto="17" length="1101" tos="0x00" prec="0x00" ttl="58" srcport="5060" dstport="5060"

Meine Vermutung ist, dass die Fritzbox evtl. die Registrierung über eine der 4 IP-Adressen durchführt, aber evtl. durch das Load-Balancing unterschiedlich angesprochen wird?

Laut Sophos FAQ ist die 60001 ja eine Standard-Regel die greift, wenn es keine Definition gibt. Merkwürdig ist jedoch, dass der Fehler unregelmäßig auftritt. D.h. grundlegend kommt ein Verbindungsaufbau zu Stande, jedoch nicht immer.

Jemand einen Ideen-Ansatz? Z.B. eine Multipath-Regel o.ä.?

 

Bitte stellt konkrete Fragen, falls noch weitere Informationen benötigt werden! Vielen Dank



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Leqtor,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Try the following as root at the command line:

    cc set packetfilter timeouts ip_conntrack_udp_timeout 150

    Any luck with that?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson, danke,

     

    habe ich geändert. Neustart auch durchgeführt.

    Das Ergebnis bleibt leider unverändert:

     

    02:15:51 Standard-VERWERFEN UDP   source dest  
    len=1100 ttl=57 tos=0x00
    02:16:04 Standard-VERWERFEN UDP   source dest  
    len=1101 ttl=57 tos=0x00
    02:16:04 Standard-VERWERFEN UDP   source dest  
    len=1101 ttl=57 tos=0x00
    02:16:05 Standard-VERWERFEN UDP   source dest  
    len=1101 ttl=57 tos=0x00
    02:16:07 Standard-VERWERFEN UDP   source dest  
    len=1101 ttl=57 tos=0x00
  • 0 in reply to Leqtor

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.  Also, when obfuscating IPs, please leave enough information so that we can see if the IP is private or public.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson 
    2017:12:04-16:07:25 utm-1 ulogd[24808]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp2" srcip="IP" dstip="IP" proto="17" length="1100" tos="0x00" prec="0x00" ttl="58" srcport="5060" dstport="5060"

    srcIP ist HostedPBX public static
    destIP ist Business public static
  • 0 in reply to Leqtor

    Yes, exactly as in your original post above.  My guess from the beginning was that the connection tracker thought that the connection had been terminated, and I still think that's what's happening.  If that timeout adjustment didn't cure the problem, I suspect the connection to the PBX is having problems.  What do you learn if you do a tcpdump on the External interface?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    What do you learn if you do a tcpdump on the External interface?

    Wie man einen TCPDUMP durchführt [:$]

    Ich muss mich erst einlesen und werde mich melden, sobald ich weitere Ergebnisse vorzeigen kann!

  • 0 in reply to Leqtor

    tcpdump -n -i any src 46.xxx.yyy.41

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This is, ofc, the proper connect:

    18:46:27.443220 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073
    18:46:27.443237 IP 46.xxx.yyy.41.5060 > 192.168.16.9.5060: SIP, length: 1073
    18:46:27.443240 Out 00:1a:8c:f0:d3:e0 ethertype Unknown (0x0010), length 1121:
    0x0000: 0000 0800 4500 044d cb12 0000 3911 b9fc ....E..M....9...
    0x0010: 2eb6 f929 c0a8 1009 13c4 13c4 0439 3451 ...).........94Q
    0x0020: 494e 5649 5445 2073 6970 3a34 3932 3330 INVITE.sip:49xxx
    0x0030: 3332 3232 3330 4038 372e 3133 382e 3131 xxxxxx@87.xxx.yy
    0x0040: 352e 3139 393b 756e 6971 3d35 3844 3744 y.199;uniq=58D7D
    0x0050: 4534 3237 3443 3644 4139 3842 3346 3245 E4274C6DA98B3F2E
    0x0060: 3832 4644 4444 3736 2053 4950 2f32 2e30 82FDDD76.SIP/2.0
    0x0070: 0d0a 5669 613a 2053 4950 2f32 2e30 2f55 ..Via:.SIP/2.0/U
    0x0080: 4450 2034 362e 3138 322e 3234 392e 3431 DP.46.xxx.yyy.41
    0x0090: 3a35 3036 303b 7270 6f72 743b 6272 616e :5060;rport;bran
    0x00a0: 6368 3d7a 3968 4734 624b 6163 3931 3231 ch=z9hG4bKac9121
    0x00b0: 3530 3836 380d 0a4d 6178 2d46 6f72 7761 50868..Max-Forwa
    0x00c0: 7264 733a 2036 380d 0a46 726f 6d3a 203c rds:.68..From:.<
    0x00d0: 7369 703a 3439 3137 3231 3530 3539 3936 sip:49xxxxxxxxxx
    0x00e0: 4031 3034 2e63 342d 6d67 632e 686f 7374 @xxxxxxxxxx.host
    0x00f0: 6564 3b75 7365 723d 7068 6f6e 653e 3b74 ed;user=phone>;t
    0x0100: 6167 3d31 6331 3834 3335 3031 3730 300d ag=1c1843501700.
    0x0110: 0a54 6f3a 203c 7369 703a 3439 3233 3033 .To:.<sip:49xxxx
    0x0120: 3232 3233 3040 3135 3932 322e 7062 782d xxxxx@xxxxx.pbx-
    0x0130: 7472 756e 6b2e 6e65 743e 0d0a 4361 6c6c trunk.net>..Call
    0x0140: 2d49 443a 2039 3631 3565 3030 3031 3566 -ID:.9615e00015f
    0x0150: 352d 3561 3235 3839 6633 2d31 3439 6661 5-5a2589f3-149fa
    0x0160: 6435 332d 3130 3432 3034 3930 2d31 6662 d53-10420490-1fb
    0x0170: 3238 3661 4031 3237 2e30 2e30 2e31 2d55 286a@127.0.0.1-U
    0x0180: 4153 6573 7369 6f6e 2d6d 6d49 416b 4c7a ASession-mmIAkLz
    0x0190: 4b6e 462d 5541 5365 7373 696f 6e2d 7833 KnF-UASession-x3
    0x01a0: 5472 424e 656e 616e 0d0a 4353 6571 3a20 TrBNenan..CSeq:.
    0x01b0: 3120 494e 5649 5445 0d0a 436f 6e74 6163 1.INVITE..Contac
    0x01c0: 743a 203c 7369 703a 3436 2e31 3832 2e32 t:.<sip:46.xxx.y
    0x01d0: 3439 2e34 313a 3530 3630 3e0d 0a53 7570 yy.41:5060>..Sup
    0x01e0: 706f 7274 6564 3a20 7469 6d65 722c 7364 ported:.timer,sd
    0x01f0: 702d 616e 6174 0d0a 416c 6c6f 773a 2049 p-anat..Allow:.I
    0x0200: 4e56 4954 452c 4143 4b2c 4341 4e43 454c NVITE,ACK,CANCEL
    0x0210: 2c42 5945 2c49 4e46 4f2c 5245 4749 5354 ,BYE,INFO,REGIST
    0x0220: 4552 2c4e 4f54 4946 590d 0a55 7365 722d ER,NOTIFY..User-
    0x0230: 4167 656e 743a 2054 454c 4553 2d53 4243 Agent:.TELES-SBC
    0x0240: 0d0a 5072 6976 6163 793a 206e 6f6e 650d ..Privacy:.none.
    0x0250: 0a50 2d43 6861 7267 696e 672d 5665 6374 .P-Charging-Vect
    0x0260: 6f72 3a20 6963 6964 2d76 616c 7565 3d44 or:.icid-value=D
    0x0270: 6f53 2d31 3531 3234 3039 3538 370d 0a41 oS-1512409587..A
    0x0280: 6363 6570 743a 2061 7070 6c69 6361 7469 ccept:.applicati
    0x0290: 6f6e 2f73 6470 0d0a 556e 7375 7070 6f72 on/sdp..Unsuppor
    0x02a0: 7465 643a 2072 6566 6572 0d0a 416c 6c6f ted:.refer..Allo
    0x02b0: 772d 4576 656e 7473 3a20 7461 6c6b 0d0a w-Events:.talk..
    0x02c0: 436f 6e74 656e 742d 5479 7065 3a20 6170 Content-Type:.ap
    0x02d0: 706c 6963 6174 696f 6e2f 7364 700d 0a43 plication/sdp..C
    0x02e0: 6f6e 7465 6e74 2d4c 656e 6774 683a 2033 ontent-Length:.3
    0x02f0: 3231 0d0a 582d 4950 2d49 6e66 6f3a 2031 21..X-IP-Info:.1
    0x0300: 3932 2e31 3638 2e32 2e31 3035 0d0a 0d0a 92.168.2.105....
    0x0310: 763d 300d 0a6f 3d2d 2031 3936 3035 3232 v=0..o=-.1960522
    0x0320: 3338 3520 3838 3837 3130 3638 3820 494e 385.888710688.IN
    0x0330: 2049 5034 2034 362e 3138 322e 3234 392e .IP4.46.xxx.yyy.
    0x0340: 3431 0d0a 733d 5445 4c45 532d 5342 430d 41..s=TELES-SBC.
    0x0350: 0a63 3d49 4e20 4950 3420 3436 2e31 3832 .c=IN.IP4.46.xxx
    0x0360: 2e32 3439 2e34 310d 0a74 3d30 2030 0d0a .yyy.41..t=0.0..
    0x0370: 6d3d 6175 6469 6f20 3130 3434 3520 5254 m=audio.10445.RT
    0x0380: 502f 4156 5020 3820 3020 3138 2031 3031 P/AVP.8.0.18.101
    0x0390: 0d0a 613d 7274 706d 6170 3a38 2050 434d ..a=rtpmap:8.PCM
    0x03a0: 412f 3830 3030 0d0a 613d 7274 706d 6170 A/8000..a=rtpmap
    0x03b0: 3a30 2050 434d 552f 3830 3030 0d0a 613d :0.PCMU/8000..a=
    0x03c0: 7274 706d 6170 3a31 3820 4737 3239 2f38 rtpmap:18.G729/8
    0x03d0: 3030 300d 0a61 3d66 6d74 703a 3138 2061 000..a=fmtp:18.a
    0x03e0: 6e6e 6578 623d 6e6f 0d0a 613d 7274 706d nnexb=no..a=rtpm
    0x03f0: 6170 3a31 3031 2074 656c 6570 686f 6e65 ap:101.telephone
    0x0400: 2d65 7665 6e74 2f38 3030 300d 0a61 3d66 -event/8000..a=f
    0x0410: 6d74 703a 3130 3120 302d 3135 0d0a 613d mtp:101.0-15..a=
    0x0420: 7074 696d 653a 3230 0d0a 613d 7369 6c65 ptime:20..a=sile
    0x0430: 6e63 6553 7570 703a 6f66 6620 2d20 2d20 nceSupp:off.-.-.
    0x0440: 2d20 2d0d 0a61 3d73 656e 6472 6563 760d -.-..a=sendrecv.
    0x0450: 0a .
    18:46:30.696206 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 482

    this is the fault:

    19:02:59.590161 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073
    19:03:01.584818 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073
    19:03:05.578791 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073
    19:03:13.574033 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073
    19:03:29.580475 IP 46.xxx.yyy.41.5060 > 87.xxx.yyy.199.5060: SIP, length: 1073

  • 0 in reply to Leqtor

    Does the firewall log file show any drops between 18:46:26 and 18:46:31.

    If so, the that info and your packet capture above should make a question to ask your VoIP provider.  Please tell us what you learn.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Leqtor

    Does the firewall log file show any drops between 18:46:26 and 18:46:31.

    If so, the that info and your packet capture above should make a question to ask your VoIP provider.  Please tell us what you learn.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    There are some drops, but i can't see any relation to this:

    2017:12:04-18:46:27 utm-1 ulogd[24808]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.10" outitf="eth0.13" srcmac="00:1b:21:11:ca:03" dstmac="00:1a:8c:f0:d3:e0" srcip="192.168.0.105" dstip="192.168.13.4" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49557" dstport="161" 
    2017:12:04-18:46:32 utm-1 ulogd[24808]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp1" srcip="185.xxx.yyy.13" dstip="87.xxx.yy.200" proto="17" length="67" tos="0x00" prec="0x00" ttl="243" srcport="47332" dstport="53" 
    2017:12:04-18:46:37 utm-1 ulogd[24808]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0.10" outitf="eth0.13" srcmac="00:1b:21:11:ca:03" dstmac="00:1a:8c:f0:d3:e0" srcip="192.168.0.105" dstip="192.168.13.4" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49557" dstport="161"
  • 0 in reply to Leqtor

    We need to have a packet capture going when there are blocks in the firewall log.  It's time to get a case open with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Leqtor

    What i'm wondering about is:

    For myself i got a PBX which registers 3 several SIP-Trunks on the same Provider and got no issues like that. (Same Sophos Rules, but another Hosted PBX-IP)

    What differs is, that the one SIP-Trunk registers through the FritzBox is having these probs.

    I never touched the config of the FritzBox till now, because this was handled by the owner himself. I will have a look on the FB settings first, before i start crying over the hills.

     

    Thanks for now, i let you now if i got any further.

Unfiltered HTML