Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 17031 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New to XG - Broken SIP tunnel over RED VPN

Global IT

Just switched over from Sonicwall and am going crazy getting my remote VOIP handset working!

 

I have a RED configured as "Transparent / Split" (Remote user's personal home device, we'd like to use DHCP as much as possible). 

From there, my phone is pulling DHCP address 10.10.10.246 and trying to communicate to my phone system at 192.168.0.3

 

I have a firewall policy (policy 8) that is configured as such:

Where "TEMP_VOIP_PHONE" is 10.10.10.246 and "voip_server_3" is 192.168.0.3

Policies on that firewall are set to be nonexistant:

 

I do a packet capture and I start to see traffic:

PHONE: REGISTER port 5080

DEVICE: 401 Unauthorized port 5080

PHONE: REGISTER port 5080

DEVICE: 200 OK port 5080

From there, the phone starts communicating on port 5081 sending SUBSCRIBE packets but no response ever comes back from the main device. Packet captures for port 5081 show no response (no NAT issues apparent)

 

My largest confusion right now is in the packet log, it's showing "Rule ID 0"

 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Global IT,

    delete this LAN to LAN rule and create a new one LAN to LAN where source network/destination network is any. Also uncheck NAT option (masq) and specific gateway NAT.

    Make sure that you can reach the opposite site using a ping from one device to another.

Reply
  • 0

    Global IT,

    delete this LAN to LAN rule and create a new one LAN to LAN where source network/destination network is any. Also uncheck NAT option (masq) and specific gateway NAT.

    Make sure that you can reach the opposite site using a ping from one device to another.

Children
  • 0 in reply to lferrara

    lferrara,

    Thank you for the tip, however this firewall is live and i'm about 1000 miles away from the location. I really need to keep the rule limited to the specific IPs.

    I went ahead and unchecked MASQ and gateway NAT, now i'm seeing the incoming packets and successful forwards just no replies.

    These are all initial connection packets, no replies.

     

    In the previous setup, I was able to connect TCP to the web console over the RED tunnel as well as the phone initially had a successful handshake until the latter SUBSCRIBE packets began to flow

  • 0 in reply to Global IT

    Global IT, check if traffic is denied using drop-packet-capture command from console.

    My advice was to have a full lan to lan rule to avoid possible dropped packets.

    Thanks

  • 0 in reply to lferrara

    lferrara,

     

    I created a LAN to LAN policy free and open, still seeing the issue. I believe i've boiled this down to somehow rule 0 being enacted after the initial handshake...

     

     

    Can't figure out where rule 0 is coming from

  • 0 in reply to Global IT

    GlobalIT,

    rule 0 is the default rule used by firewall when other rules are not hitted. So traffic is denied.

    Use tcptump from console and drop-packet-capture "host x.x.x.x" to understand what is blocked and if the remote network routing is working correctly.

    Are other resources on the remote red network able to ping/access HQ resources?

    Also make sure the SIP module is loaded using the command:

    system system_modules show

    Regards

  • 0 in reply to lferrara

    Luk,

     

    That's one of my biggest confusions, if I plug my laptop into the RED and assign it that same .246 IP address, I can access the web configuration tool of the phone system. TCP traffic seems to be flowing just fine.

     

    As you can see below, I'm seeing traffic being caught by rule 0:

     

    But a drop-packet-capture shows nothing even as packets are rolling into the log viewer!

  • 0 in reply to Global IT

    GlobalIT,

    send me a PM and I will have a look at your RED and SIP issue.