Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 5957 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

system_modules sip - invalid connection helper

Christoph Sulik

Hello,

I have an sip-server (3CX) and sip-clients, that are in different networks protectet through XG Firewall.

From Client to Server I have opened the necessary firewall ports TCP/UPP 5060 and others necessery for 3CX.

Calls with the sip-client are working, but I can not hold and get back the call. When I do that in the client, I see Denied Traffic in Firewall Log from Server to Client (UDP 5060 with rule id, of the client->server rule)(see screenshot).

I can reproduce this.

When I go to console and check the sip helper "system system_modules show", the system is loaded. When I load the module again, the sip client is immediately working fine and there are no blocking packets in log!

When I check it a few hours later, the client does not work again and the firewall blocks the packets again. I tried to unload the module, but then I can not hear anybothe with the client.

Does someone have an Idea?

Thanks



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Thanks.

    set advanced-firewall udp-timeout-stream 150 did not help

    set ips sip_preproc disable did not help

    There is no VPN connection between client to server

    The second article is for UTM 9. The commands e.g. cat and lsmod and parameters of tcpdump do not work. Could not find something that could help

     

    SIP doses work fine without sophos firewall with a bypass router for testing.

     

    Is there a way to shedule a command on the fireall? I would like to set the following command every hour: system system_modules sip load

    After this command sip is working fine.

     

  • 0 in reply to Christoph Sulik

    This seems to be like the wrong approach to find the solution.

    Could be some kind of conntrack issue... If you run into this issue, can you perform a drop packet capture? 

    On Console (SSH Advanced Shell), use 'drppkt | grep IPphone'

    I am wondering, do you know the "exact" time frame for this issue? initially you told us, few hours? Could it be 3 hours?  3 Hours "Idle" and you try to reconnect the phone? 

  • 0 in reply to LuCar Toni

    I tried 'drppkt | grep IPphone' while making the call, hold and try to get back the conversation. There were no dropped packets.

    I tried 'drppkt | grep 5060' and got the following output.

    I did not load the sip module before. I will test the time frame after load the sip module until it does not work again in the next few days.

    Thanks for help.

     

    SFVH_VM01_SFOS 17.1.3 MR-3# drppkt | grep 5060                                  
    2018-11-28 22:30:25 010202141 IP 192.168.115.2.5060 > 192.168.117.3.56230 : prot
    o UDP: packet len: 1076 checksum : 1554                                         
    0x00c0:  3a35 3036 303e 0d0a 546f 3a20 3c73 6970  :5060>..To:.<sip              
    Date=2018-11-28 Time=22:30:25 log_id=010202141 log_type=Firewall log_component=I
    nvalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A
     in_dev= out_dev= inzone_id=1 outzone_id=3 source_mac= dest_mac= l3_protocol=IP
    source_ip=192.168.115.2 dest_ip=192.168.117.3 l4_protocol=UDP source_port=5060 d
    est_port=56230 fw_rule_id=21 policytype=1 live_userid=0 userid=0 user_gp=0 ips_i
    d=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0
    dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=11 app_id=38
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_
    node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 d
    rop_fix=0 ctflags=8 connid=107919456 masterid=0 status=398 state=0 sent_pkts=N/A
     recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A t
    ran_dst_ip=N/A tran_dst_port=N/A                                                
    2018-11-28 22:30:25 010202141 IP 192.168.115.2.5060 > 192.168.117.3.56230 : prot
    o UDP: packet len: 1076 checksum : 1554                                         
    0x00c0:  3a35 3036 303e 0d0a 546f 3a20 3c73 6970  :5060>..To:.<sip              
    Date=2018-11-28 Time=22:30:25 log_id=010202141 log_type=Firewall log_component=I
    nvalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A
     in_dev= out_dev= inzone_id=1 outzone_id=3 source_mac= dest_mac= l3_protocol=IP
    source_ip=192.168.115.2 dest_ip=192.168.117.3 l4_protocol=UDP source_port=5060 d
    est_port=56230 fw_rule_id=21 policytype=1 live_userid=0 userid=0 user_gp=0 ips_i
    d=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0
    dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=11 app_id=38
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_
    node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 d
    rop_fix=0 ctflags=8 connid=107919456 masterid=0 status=398 state=0 sent_pkts=N/A
     recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A t
    ran_dst_ip=N/A tran_dst_port=N/A                                                
    2018-11-28 22:30:26 010202141 IP 192.168.115.2.5060 > 192.168.117.3.56230 : prot
    o UDP: packet len: 1076 checksum : 1554                                         
    0x00c0:  3a35 3036 303e 0d0a 546f 3a20 3c73 6970  :5060>..To:.<sip              
    Date=2018-11-28 Time=22:30:26 log_id=010202141 log_type=Firewall log_component=I
    nvalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A
     in_dev= out_dev= inzone_id=1 outzone_id=3 source_mac= dest_mac= l3_protocol=IP
    source_ip=192.168.115.2 dest_ip=192.168.117.3 l4_protocol=UDP source_port=5060 d
    est_port=56230 fw_rule_id=21 policytype=1 live_userid=0 userid=0 user_gp=0 ips_i
    d=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0
    dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=11 app_id=38
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_
    node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 d
    rop_fix=0 ctflags=8 connid=107919456 masterid=0 status=398 state=0 sent_pkts=N/A
     recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A t
    ran_dst_ip=N/A tran_dst_port=N/A                                                
    2018-11-28 22:30:28 010202141 IP 192.168.115.2.5060 > 192.168.117.3.56230 : prot
    o UDP: packet len: 1076 checksum : 1554                                         
    0x00c0:  3a35 3036 303e 0d0a 546f 3a20 3c73 6970  :5060>..To:.<sip              
    Date=2018-11-28 Time=22:30:28 log_id=010202141 log_type=Firewall log_component=I
    nvalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A
     in_dev= out_dev= inzone_id=1 outzone_id=3 source_mac= dest_mac= l3_protocol=IP
    source_ip=192.168.115.2 dest_ip=192.168.117.3 l4_protocol=UDP source_port=5060 d
    est_port=56230 fw_rule_id=21 policytype=1 live_userid=0 userid=0 user_gp=0 ips_i
    d=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0
    dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=11 app_id=38
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_
    node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 d
    rop_fix=0 ctflags=8 connid=107919456 masterid=0 status=398 state=0 sent_pkts=N/A
     recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A t
    ran_dst_ip=N/A tran_dst_port=N/A                                                
    2018-11-28 22:30:32 010202141 IP 192.168.115.2.5060 > 192.168.117.3.56230 : prot
    o UDP: packet len: 1076 checksum : 1554                                         
    0x00c0:  3a35 3036 303e 0d0a 546f 3a20 3c73 6970  :5060>..To:.<sip              
    Date=2018-11-28 Time=22:30:32 log_id=010202141 log_type=Firewall log_component=I
    nvalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A
     in_dev= out_dev= inzone_id=1 outzone_id=3 source_mac= dest_mac= l3_protocol=IP
    source_ip=192.168.115.2 dest_ip=192.168.117.3 l4_protocol=UDP source_port=5060 d
    est_port=56230 fw_rule_id=21 policytype=1 live_userid=0 userid=0 user_gp=0 ips_i
    d=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0
    dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=11 app_id=38
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_
    node=0 inmark=0x0 nfqueue=100 scanflags=0 gateway_offset=0 max_session_bytes=0 d
    rop_fix=0 ctflags=8 connid=107919456 masterid=0 status=398 state=0 sent_pkts=N/A
     recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A t
    ran_dst_ip=N/A tran_dst_port=N/A                                                
    ??^C                                                                            
    SFVH_VM01_SFOS 17.1.3 MR-3#                                                     
     

  • 0 in reply to Christoph Sulik

    OK. the system_module seems to be the wrong way.

    After I load the system_module sip, die Client (on the same PC I used the system console) is woring fine. When I go into sleep mode (for exammple 1 minute later) and come back from that, the sip client does not work again. On an other PC the sip client does not work all the time. When I use the system console on the second PC and load the sip modle from there, the client works on the second pc works.

    It does not make any sence.

  • 0 in reply to Christoph Sulik

    So lets take a step back.

    Conntrack is the basic stateful firewall. 

    https://en.wikipedia.org/wiki/Stateful_firewall

    To work with a stateful firewall in SIP setups, you have different approaches. Some "buzzwords". SIP ALG, SIP NAT, SIP Firewall Rules, SIP Helper. Feel free to read something about it.

    But we use a helper to try to open highports in the firewall. But some products are struggling with this or expect some different approach. 

     

    Next steps would be a conntrack "dump" of this connection plus wireshark / tcpdump. 

    You could see, what is going on on XG. 

    http://conntrack-tools.netfilter.org/conntrack.html

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

     

    Sophos Support can assist you in this process. 

     

    Next step could be: Do you use DDOS Protection? IPS? ATP? Did you verify the Logviewer? Any False Positives?