Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

VoIP over NAT issues: Ring but no audio; disconnects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VoIP over NAT issues: Ring but no audio; disconnects

L1 Bithead

I have our VoIP PBX set up with an IP on our external side via NAT. The policy is a simple static NAT from the internal IP to the external. I also have the correct security policies in place to allow SIP/RTP traffic to pass freely to and from the external IP address. The PBX server can be accessed via HTTP from outside our network, and my cell phone (using BRIA) can successfully register to the PBX.

However, whenever I make a call from outside, it will disconnect after seven (7) seconds when picked up. This happens every time without fail. I have tried tweaking around security policies, enabling application override, and altering the NAT rules.. nothing seems to help.

Can anyone give me suggestions? This setup worked perfectly fine on our old Juniper SRX-240B with the PA-500 in vWire. Ever since I swapped the PA-500 into being our gateway/firewall, it just won't do it.

More information can be provided upon request.

Thanks,

Logan

15 REPLIES 15

L1 Bithead

Hi, i have the  same problem. The support area is reported to the task. Waiting for a solution. The problem lies in properly marked RTP packets. application ovverride  does not help. We have to wait.

L1 Bithead

Any Palo-Alto support people that can make any suggestions at all? We really want to avoid having to buy an intermediate device for SIP to bypass the PA-500.

Hello,

What software version and content is running on the device?

We are continuing to make improvements to the SIP decoder so I would recommend updating to the latest app/content version to see if this resolves your issue.

VoIP issues can be tricky to troubleshoot so I would highly recommend opening a case with your support team so we can gather packet captures, global counter and session information.

- Stefan

Our PA-500 is currently on version 4.1.2.

Packet captures that I've done so far show outgoing RTP transmission, but no incoming.

CASE#: 00076638

An update to this ticket:

I've been working with Palo Alto support and still no fix, yet.

Packet captures show that RTP traffic is flowing from the internal phone to the SIP phone outside the network, but there is no flow from outside to inside. It is passing out of our dynamic-ip-and-port NAT rule, but cannot find a way back in.

Still waiting on support for additional testing.

Try sniffing manually on your uplink to see if the voip client returns any packets at all?

My guess would be that some header within your SIP connection isnt replaced to show the PA's outside ip/port but showing the original (RFC1918?) address. Which of course will never find its way back to your PA (specially if this is over Internet).

Packet capture on a laptop running a SIP client shows that packets are being received on the external unit, but packets are hitting the NAT and being dropped when trying to re-enter the network.

PBX has a static NAT to an external IP.

External unit registers via PBX external.

External unit makes call.
PBX connects to internal phone and sets up the call.

Internal phone takes the call and tries to communicate with external unit via default dynamic-port-and-ip NAT (different IP than PBX external).
Traffic flows from internal to external via default NAT, but not vice versa.

The issue is that the traffic cannot re-enter the network via the dynamic-port-and-ip NAT. Our old Juniper SRX-240B did not have this issue, as it would route all SIP traffic back out the PBX external IP in it's default behavior (from what I've been told). This would utilize the static NAT and not the dynamic NAT.

Still working with someone from Palo Alto..

Any update I am having a similar issue?

Never really got any tangible progression. Ultimately, we decided to stop pursuing the issue and wait for our new phone system upgrade after the first of the year. The 3COM system we're using isn't supported any longer and has issues with NAT traversal.

One thing we also did was purchase an InGate Siperator so that our future SIP provider traffic will not pass through the PA-500 and instead will be parallel to the firewall. Managed to find a hardly-used unit on Ebay for way less than retail price.

Yesterday i have sesion with support from LA and waiting for solusion.

Hi

did u resolve problem

regards


I had the same problem and finally pointed the outside interface of the VOIP PBX to the internet bypassing the PAN. It has a built in firewall that's satisfactory for it's purpose. I created a zone on the PAN to get to he voice subnet for secure management of the VOIP PBX and also to keep the voice subnet off my internel network. It works for now.

L1 Bithead

yes, my problem is resolved. support offered  in my case to use application ovverride for sip application, and it's work.

Not applicable

Hi

I'm experiencing the same problem.  Could you provide details of the application override fix please?

Mine looks like this, but is not working;

AppOver.jpg

The 10. address is our PBX, the 80. address is the remote PBX and the 5. address is our external IP.

  • 15565 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!