SRX Services Gateway
Highlighted
SRX Services Gateway

Tftp traffic for IPphone

‎03-21-2019 01:33 AM

Hi 

I have a problem about TFTP traffic which is passed on firewall. 

 

SIP server ---------------- FW ----------------- IPphone

 

My IPphone will be assigned an IP address from Firewall. First step is IPphone must download firmware from SIP server. All traffic will be NAT (Source NAT + proxyARP and address persistant is enabled).  It seems like IPphone can't download firmware via TFTP. I captured packet. The output are below

 

Capture1.PNG

 

Please suggest me. 

 

 

14 REPLIES 14
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-21-2019 03:00 AM

Looks like the icmp traffic is what is blocked while the tftp seems to be working.  Do you have ping allowed in the policy that permits the tftp traffic?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-24-2019 10:23 PM
Steve, Thank you for your answering

I didn't allow ICMP within TFTP policy but i have default policy that allow all policy was applied at the last. Should I apply its within TFTP policy?
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-24-2019 11:53 PM

I belive these ICMP messages are not a reply for an ICMP req, but rather the server informing that the port is not availabel, most possible reason is the server is busy. Can you share the complete pcap?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-25-2019 02:27 AM

From the view it looks like the icmp needs to be permitted in the opposite direction as the tftp download.  The policy would be from the server to the client in this case that is not working.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-25-2019 08:23 PM

Complete PCAP file is in link below (I can't attach file).

https://drive.google.com/file/d/1rKgJo0P1MVRw9g4onExtMtP4ttrkVpUn/view?usp=sharing

 

You can filter for TFTP only. And I already allow policy from server to client. There's no hit count.

Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-26-2019 12:02 AM

Updated 

I move IPphone without NAT performing. It's working normaly. 

Any ideas?

Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-26-2019 12:45 AM

can you collect "show security flow session source-prefix <iphone ip> destination-prefix <server IP>" in both scenarios

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-26-2019 12:55 AM

Output are below.

 

root# ...ion source-prefix 192.168.20.70 destination-prefix 10.105.62.53
Session ID: 22061, Policy name: TFTP-outgoing/7, Timeout: 60, Valid
Resource information : TFTP ALG, 9, 0
In: 192.168.20.70/1024 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2, Bytes: 156,
Out: 10.105.62.53/69 --> 172.19.0.196/3179;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,

Session ID: 22073, Policy name: TFTP-outgoing/7, Timeout: 18, Valid
Resource information : TFTP ALG, 11, 0
In: 192.168.20.70/1025 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 89,
Out: 10.105.62.53/69 --> 172.19.0.196/23837;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
Total sessions: 2

 

 

root# ...ion source-prefix 10.105.62.53 destination-prefix 192.168.20.70
Total sessions: 0

 

Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-26-2019 12:59 AM

What is tftp alg status? is it in disabled state? if yes, enable it and check

show security alg status

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-26-2019 01:08 AM
I believe this is with NAT, do you have same for without NAT?
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Halo
‎03-27-2019 06:32 AM

Re: Tftp traffic for IPphone

‎03-26-2019 03:03 AM

It looks like you are doing source nat on the IP phone is that correct?

 

This would be why the reverse icmp traffic does not work.  The server is trying to ping the nat address and it would need a destination or static nat rule in place for that to work.

 

Is that source nat required?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-27-2019 06:38 AM

Hi Spuluka,

You're correct. I configured source NAT (pool) at first. It's till not working. Then I configure source NAT (1:1 mapping) with destination NAT instead of an old way. Problem is gone! 

 

But mow, TFTP is done but IPphone still can't make a call. I think. Root cause is NAT. Could you suggest me what type of NAT is recommended for IP Phone? Source NAT or Static NAT?

 

Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-27-2019 06:47 AM
I believe port randomization is causing issue. It is enabled by default in source Nat and disabled in static Nat. You may verify this by disabling source Nat port randomization.

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Tftp traffic for IPphone

‎03-27-2019 02:47 PM

Progress at least.

 

Make sure your policy to allow the connection uses the specific application that matches your pbx system and not just the "any" application.  

 

Then make sure the matching ALG for the pbx application is turned on for the SRX.

 

This will allow the ALG to permit the random high ports for the call streams to occur for the calls to work.

 

The alternative is to find the protocol (usually udp) direction and port ranges used by the calling protocol and setup policies that allow those streams to occur.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home