SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Servers do not reply

Options

‎02-29-2012 02:22 AM

We are testing Juniper SRX 210 on our live network. We intend to replace Cisco 2811 with SRX. Also we are using Siemens IP phones. After replacing Cisco with Juniper, phones are not available to obtain IP address from DHCP. When they are configured manually, phones cannot reach SIP Proxy server. Traces show that requests are reaching server, but server doesn’t send the replays. We see DHCP UDP requests, and SIP TCP SYN request, but no response from server.

 

When we put Cisco back everything works normal.

 

Can anybody advise us how to troubleshoot this problem?

Message 1 of 9 (475 Views)
 
Reply
Trusted Contributor
mwdmeyer
Posts: 110
Registered: ‎03-11-2008
0

Re: Servers do not reply

Options

‎02-29-2012 03:26 AM

Are you using NAT or not? Post your config!

Message 2 of 9 (467 Views)
 
Reply
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Re: Servers do not reply

Options

‎02-29-2012 05:43 AM

I have attached my conf file. Im using NAT, but SIP proxy is in loal notwork so address is not natted.

 

 

 

|Phone|----ge.0.0.20 ----| SRX |------|Cisco1841|----ge.0.0.35----|SIP PROXY| 

 

 

 

Phones are connected to ge.0.0.20 interface, and SIP Proxy is connected to Cisco router over ge.0.0.35 interface.

 

Both interfaces are in trusted security zone with permit all policy.

 

ALG is disabled. Again, when I return Cisco 2811 insted of SRX everything works fine.

 

If you need any additional information, please ask me.

 

Thank you in advance!

Onion Seller

Attachment srx210_config.txt ‏22 KB
Message 3 of 9 (452 Views)
 
Reply
Recognized Expert
Recognized Expert
mhariry
Posts: 256
Registered: ‎06-01-2011
0

Re: Servers do not reply

Options

‎02-29-2012 08:22 AM

Hi,

 

For troubleshooting you could try below steps one by one

 

1- do ping from the SRX to SIP server.

2- connect one PC and put it in VLAN 20 and give static IP from Voice subnet and try to ping SIP server.

3- try to configure DHCP locally on the SRX as following and testing ip phone again

 

            pool 192.168.30.0/24 {
                address-range low 192.168.30.11 high 192.168.30.254;
                router {
                    192.168.30.1;
                }
                boot-server x.x.x.x;  -----> your call manager
                sip-server {
                    address {
                        y.y.y.y;  ---------> SIP server IP

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Message 4 of 9 (435 Views)
 
Reply
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Re: Servers do not reply

Options

‎03-01-2012 02:11 AM

 

Thank you for your fast reply Mohamed!

 

I have already tried that. Ping from PC to SIP server works fine, but telnet to the same server using SIP port 5060 fails. I did traffic sniffing on server link and saw that PC is trying to establish TCP session sending SYN segment, but server doesn’t reply back. It looks like its L4 problem, and Juniper is modifying TCP header on some way.

 

Other servers (mail, radius, ftp, snmp, dns etc.) are reachable.

 

Any ideas what could it be?

 

Kind regards!

Message 5 of 9 (420 Views)
 
Reply
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Re: Servers do not reply

Options

‎03-06-2012 12:43 AM

When Cisco is in network the SYN segment that SIP server is receiving looks like this:

 

35628  332.745096     192.168.30.101           192.168.112.10           TCP     48125 > sip [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSV=15631 TSER=0 WS=1

 

 

After this, server sends ACK and continues with TCP session.

 

 

 

 

 

And when we replace Cisco with Juniper it looks like this:

 

10304  497.900165     192.168.30.101           192.168.112.10           TCP     48125 > sip [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSV=15623 TSER=0 WS=1

 

Server dont reply on this SYN, and the phone keeps sending this packet.

 

 

Can anybody tell me how to solve this problem?

Message 6 of 9 (387 Views)
 
Reply
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Re: Servers do not reply

Options

‎03-14-2012 06:20 AM

Anybody? :smileysad:

Message 7 of 9 (365 Views)
 
Reply
MarcTB
Contributor
MarcTB
Posts: 41
Registered: ‎10-18-2009
0

Re: Servers do not reply

Options

‎03-15-2012 12:27 AM

Can you also attach the config fo the Cisco 1841 when you have put the srx in between ?

 

 


Regards,

Marc

Security Officer
Network / Security Specialist for Scarlet / Belgacom

Message 8 of 9 (345 Views)
 
Reply
OnionSeller
Contributor
OnionSeller
Posts: 17
Registered: ‎12-01-2011
0

Re: Servers do not reply

Options

‎05-08-2012 06:17 AM

After configuring duplex and speed on all trunk interfaces in the network, communication with SIP Proxy server  went fine. Before that, there were no speed or duplex missmatch alerts.

 

I have no idea how is this related with blocking just one destination port, but it works now and we all are happy. Even my boss bought me a brand new apple pie!

 

Thank you!

Message 9 of 9 (310 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.