SRX

Hi 

I have a problem about TFTP traffic which is passed on firewall. 

 

SIP server ---------------- FW ----------------- IPphone

 

My IPphone will be assigned an IP address from Firewall. First step is IPphone must download firmware from SIP server. All traffic will be NAT (Source NAT + proxyARP and address persistant is enabled).  It seems like IPphone can't download firmware via TFTP. I captured packet. The output are below

 

 

Please suggest me. 

 

 

Looks like the icmp traffic is what is blocked while the tftp seems to be working.  Do you have ping allowed in the policy that permits the tftp traffic?

 

Steve, Thank you for your answering

I didn't allow ICMP within TFTP policy but i have default policy that allow all policy was applied at the last. Should I apply its within TFTP policy?

From the view it looks like the icmp needs to be permitted in the opposite direction as the tftp download.  The policy would be from the server to the client in this case that is not working.

 

I belive these ICMP messages are not a reply for an ICMP req, but rather the server informing that the port is not availabel, most possible reason is the server is busy. Can you share the complete pcap?

Complete PCAP file is in link below (I can't attach file).

https://drive.google.com/file/d/1rKgJo0P1MVRw9g4onExtMtP4ttrkVpUn/view?usp=sharing

 

You can filter for TFTP only. And I already allow policy from server to client. There's no hit count.

Updated 

I move IPphone without NAT performing. It's working normaly. 

Any ideas?

can you collect "show security flow session source-prefix <iphone ip> destination-prefix <server IP>" in both scenarios

Output are below.

 

root# ...ion source-prefix 192.168.20.70 destination-prefix 10.105.62.53
Session ID: 22061, Policy name: TFTP-outgoing/7, Timeout: 60, Valid
Resource information : TFTP ALG, 9, 0
In: 192.168.20.70/1024 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2, Bytes: 156,
Out: 10.105.62.53/69 --> 172.19.0.196/3179;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,

Session ID: 22073, Policy name: TFTP-outgoing/7, Timeout: 18, Valid
Resource information : TFTP ALG, 11, 0
In: 192.168.20.70/1025 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 89,
Out: 10.105.62.53/69 --> 172.19.0.196/23837;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
Total sessions: 2

 

 

root# ...ion source-prefix 10.105.62.53 destination-prefix 192.168.20.70
Total sessions: 0

 

What is tftp alg status? is it in disabled state? if yes, enable it and check

show security alg status

 

I believe this is with NAT, do you have same for without NAT?

It looks like you are doing source nat on the IP phone is that correct?

 

This would be why the reverse icmp traffic does not work.  The server is trying to ping the nat address and it would need a destination or static nat rule in place for that to work.

 

Is that source nat required?

 

Hi Spuluka,

You're correct. I configured source NAT (pool) at first. It's till not working. Then I configure source NAT (1:1 mapping) with destination NAT instead of an old way. Problem is gone! 

 

But mow, TFTP is done but IPphone still can't make a call. I think. Root cause is NAT. Could you suggest me what type of NAT is recommended for IP Phone? Source NAT or Static NAT?

 

I believe port randomization is causing issue. It is enabled by default in source Nat and disabled in static Nat. You may verify this by disabling source Nat port randomization.

Progress at least.

 

Make sure your policy to allow the connection uses the specific application that matches your pbx system and not just the "any" application.  

 

Then make sure the matching ALG for the pbx application is turned on for the SRX.

 

This will allow the ALG to permit the random high ports for the call streams to occur for the calls to work.

 

The alternative is to find the protocol (usually udp) direction and port ranges used by the calling protocol and setup policies that allow those streams to occur.