07-14-2017 11:50 AM
we are using a couple of SRX240 to route between sites and on each site we have some SIP applications running.
With the SIP ALG enabled we were noticing that packets were being dropped.
So after some googling I came to the conclusion to disable the SIP ALG entirely.
After this, these call flows were successful.
The only problem then, was that SIP "OPTIONS" were being dropped by the SRX and was not being routed further to its destination. I verfied this by doign some traceoptions on the SRXs.
Basicly I don't want the SRX to do anything with SIP, it just need to route the packet to it's destination.
For now, I workaround to get SIP OPTIONS working again, was to enable SIP ALG globally, and disable it per policy based on the source and destination IPs of the SIP call flows.
But we are still noticing some packet drops. and some SIP ALG errors in the messages log file.
My question is if there is any way while disabling SIP ALG globally will still keep SIP OPTIONS working?
Is this a bug in the software perhaps. I could not find anything in the release notes.
On one side we have a srx with 12.1X46-D15.3 and the other side with 12.3X48-D35.7.
Any help would be greatly appreciated.
07-15-2017 05:16 AM
Are you using STUN (client/server)? Consider user persistent NAT.
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
07-15-2017 11:02 PM
I would recommend you run sip traces and see if there is any specific errors reported ,
set security alg sip traceoptions flag all
set security traceoptions file SIP-traces
set security traceoptions file size 7m
set security traceoptions file files 2
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
09-13-2017 01:44 PM
- I would like to provide you details about how the SIP ALG work in the SRX:
Functions of the ALG:
1- Open pinhole for sip signal pinhole and media pinhole
2- SIP NAT with IP address conservation. Performs SIP and RTP aware IP Network Address translation.
3- SIP Message order checking
4- Configurable Header line length maximums
5- Message Flood Protection
6- SIP statistics and logging
7- Deep SIP message syntax checking (also called deep SIP header inspection or SIP fuzzing protection). Prevents attacks that use malformed SIP messages. Can check many SIP headers and SDP statements. Configurable bypass and modification options.
8- SIP per request method message rate limitation with configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks.
9- IP topology hiding
- Information how the SIP options message works:
AS it is explain in RFC3261 (https://www.ietf.org/rfc/rfc3261.txt ):
The SIP method OPTIONS allows a UA to query another UA or a proxy server as to its capabilities. This allows a client to discover information about the supported methods, content types, extensions, codecs, etc. without "ringing" the other party.
OPTIONS sip:email@example.com SIP/2.0
Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKhjhs8ass877
From: Alice <sip:firstname.lastname@example.org>;tag=1928301774
CSeq: 63104 OPTIONS
This means that some “OPTIONS” will need the SIP ALG to NAT the signal packet or open the pinhole to go through the policies otherwise the packet will be dropped.
Please be aware also that SIP ALG has a message flood protection, so it dropped packets that consider floods or attacks(malformed packet or packet out of the SIP RFC standard ), reason why the statistics will increment but it does not mean that it is an error in the SRX.