Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 9680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with SIP and rejected packets

rogermwl

Hello

We've logged a call with Sophos support, but wanted to open this up to the community as well as it's quite urgent

Our customer has a Sophos XG210 (SFOS 17.0.6 MR-6) and SIP VOIP Phones. The symptoms of the issue is that inbound calls start to fail.

They two WAN connections; a leased line and an ADSL connection. The main firewall rule for the phones is simply

Source: VOICE VLAN, Any

Destination: WAN, Any, Any

All None under scanning etc.

Changing this rule to the ADSL connection, things 'work'. Inbound calls generally seem to work fine, but troubleshooting is hindered by the ADSL line being poor. Call quality issues start to occur that are being included in this issue.

When using the leased line (using the same firewall rule), eventually inbound call routing starts to fail (call quality is good). It may be a red herring, but Violation reports start appearing in the firewall log. An example of the packet capture:

Date=2018-03-16 Time=16:34:14 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=a4:4c:11:8e:2a:83 dest_mac=7c:5a:1c:48:8c:99 l3_protocol=IP source_ip=xx.xxx.xxx.120 dest_ip=xx.xxx.xxx.146 l4_protocol=UDP source_port=5060 dest_port=2934 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=243270464 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

To my mind, it's as if the Firewall is unaware of the packet returning and rejecting it. Is it possible for the NAT to become full and start rejecting packets?

Thanks for any help



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to rfcat_vk

    Hi

    The rule is right at the top. QOS wasn't enabled at the start of the issue, but is now.

     

    I have an inbound rule created, but no traffic appears to be hitting it. I think all of the inbound traffic is NAT'ed

     

    I should add SIP ALG is turned off as a requirement from the SIP provider

     

    Thanks 

Children
  • 0 in reply to rogermwl

    If the firewall rule for incoming is setup correctly it will pass traffic. I expect that it will be a DNAT as part of your business rule otherwise no traffic will get through.

    You can tighten up the outgoing rule so that only SIP and its associated ports are allowed out.

    For incoming I would recommend that you add the VoIP providers server addresses to your allowed source networks so that you do not receive any nuisance calls from random junk callers.

    Ian

  • 0 in reply to rfcat_vk

    What would the incoming rule entail? I normally use DNAT rules to forward to a specific device.

    I've created an incoming User/Network rule (WAN to VOIP) but it's not 'in use' in that it shows 'in 0 B, out 0 B'. All of the incoming traffic is currently just NAT. I'll add this configuration is working at another site with identical hardware.

    Thanks