SRX Services Gateway
SRX Services Gateway

SRX and cisco SIP phones

‎07-14-2012 05:47 AM

Hi all!

 

We have 1 CUCM 8.6 in the Internet with public IP and ~60 cisco SIP phones behind SRX (trusted network - LAN).

 

So, when I trying to call from phone (in LAN) to somewhere - SIP call disconnecting after 7-10 seconds. When I calling from internet to cisco phones behind NAT - all fine.

 

In CUCM i changed SIP profiles, SIP security profiles to use SIP UDP only. When I trying to call from LAN uses SIP softphone - everything ok.

 

Please help me with this issue.

18 REPLIES 18
SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-14-2012 06:05 AM

Hi,

 

first thing you could try is to disable the SIP ALG on the SRX

 

user@srx#set security alg sip disable

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: SRX and cisco SIP phones

[ Edited ]
‎07-14-2012 06:14 AM

And what about SIP / RTP traffic? Without ALG sip nothing works.

 

 In any case it does not work. I tested

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-14-2012 10:14 PM
after disabling alg, did you allow any traffic ...
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-15-2012 08:54 AM

After disabling ALG - all sip phones are registering on CUCM with local IP addresses (192.168...), but CUCM have public IP in other location. Doesn't working. I tested.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-16-2012 02:00 PM

When people suggest disabling ALGs to "fix" a problem I sometimes wonder if they understand the purpose of ALGs, or firewalls for that matter.......

 

 

At any rate, what does your NAT configuration look like and what version of JunOs are you running?

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-19-2012 01:24 PM

My configuration:

 

 

SIP phones -------LAN------|SRX (NAT)|------- WAN------- CUCM.

 

LAN have local addresses (such as 192.168....).

 

So, when I trying to disable ALG on SRX - all sip phones will registering on CUCM with local IP. With "Enabled" ALG - registering fine. But outgoing calls will disconnect after 5-15 seconds.

 

 

 

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-24-2012 11:43 AM

what type of NAT are you using?

 

Interface NAT, source NAT with a pool?

 

Perhaps you could post a copy of your config for us to take a look at?

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 02:39 AM

I agree with mkelly_uwyo, the SIP ALG has been developed and is there for a reason. However, my experience is the same as most others', it just does not work. We've been running Cisco ASA's previously and they are a dream in that perspective, everything wrt SIP and NAT just works.

Both with Cisco/Linksys SIP phones and other vendors of hard- and softphones. I have tested every Junos version from 9.5 and onwards and they are all broken wrt SIP.

Cisco have had this working flawlessly in every ASA version from 8.0 and onwards, it's just a matter of making sure inspect sip is in the configuration.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 05:25 AM

What is junos version that you are running?

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 05:32 AM

I'm currently running 10.2R4.8 (on J2320 units where memory is to low for anything newer), 10.4R10.7 (on the units where stability is top priority), 11.2R7.4 and 11.4R3.7 on less critical units.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 05:37 AM

I would suggest to configure flow trace and ALG traceoption along with PCAP before the firewall and after the firewall.

This will be relevant data from that you might be able to figure it out behaviour on the SRX while traversing the packets.

 

 

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 06:00 AM

That's been done a number of times, and I've shared those results with my sales representative and his team in the hope that it would lead somewhere. I've also opened cases with JTAC in the past in the hope that it would be useful in trying to make this actually work.

Our scenario is a rather common one, SIP phones being PAT:ed out a SRX firewall communicating with a hosted SIP PBX provider. As mentioned this works like a charm on ASA, application layer data is rewritten by the sip alg and reflecting the pat:ing done in lower layers, one single line of config takes care of everything. I'm generally not a fan of those "birds eye view" comparisons but in this case I feel it somehow justified.

 

The issue with junos sip alg is that it's so far from working; random results, often different issues, specific issues change from release to release. If it would have been the case that things _almost_ worked and I got consistent results, but a specific scenario did not, it would probably be worth my while to make sure it's reproducable, but it's so far from working that it would be very obvious to anyone testing it that there are probably a multitude of issues that would need attention. I have provided my reseller with hardware and SIP accounts for testing this out and they have confirmed they are seeing issues as well. Unfortunately it seems to be hard for them to get attention to the matter.

 

Lots of frustration here, sorry about that, but after speding a lot of time trying to troubleshoot this in the past in the hope that something might have turned out for the better at random with every new release, and things still being so far from working,  it feels kind of hopeless as you can probably understand.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 06:01 AM

And oh, SIP ALG trace seem to be broken btw, I've never been able to get a single line out of it.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎07-27-2012 08:12 AM

while configuring ALG you might have not configured the security traceoption, it is must to configure the security traceoption along with security ALG traceoptions.

Please esclate this issue to TAC level, i am sure that it will be taken care asap.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎12-17-2013 11:21 PM

Hello,

 

What are the logs showing you on the SIP alg?

 

Regards,

 

Luis Sandi

SRX Services Gateway

Re: SRX and cisco SIP phones

[ Edited ]
‎12-23-2013 02:12 AM

I had a similar issue with SNOM IP-phones registered to a SIP-server. Phone calls were timing out after a while. As a workaround I made an application object covering the UDP-ports involved in the SIP-registration as well as calls. In this object I specified a UDP session timeout of 300 seconds.

I then refered to this application object in my policy and everything worked greatly.

 

You might try this.

SRX Services Gateway

Re: SRX and cisco SIP phones

‎04-09-2015 01:45 PM

Thanks for this thread.

 

I put in 4 cisco phones running SIP in a branch office with an SRX210. 

 

The phones were pulling IP addresses and they were passing DHCP and traffic for the connected computers.  But the phones kept showing the "Phone is registering" message without actually registering.  I looked a flow traffic and trace-options, but that was not helpful.

 

Once I deactivated the ALG for SIP, they came up immediately.

 

Regards,

Chris White

 

Highlighted
SRX Services Gateway

Re: SRX and cisco SIP phones

‎04-09-2015 01:50 PM

Alg for sip is "retarded" 99% of the time you can disable it (aka you need to disabled it like always)

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------