https://live.paloaltonetworks.com/t5/next-generation-firewall/issue-with-call-recording-flow-predict-convert-rtp-drop/m-p/1241472#M6436 <P>Hi Team,</P><P>We’ve been experiencing issues with the communication between a Cisco softphone and the call recorder. Below is the scenario and a description of the problem:</P><OL><LI><P>When users place calls from a Cisco softphone, the call is established successfully, and both parties can hear each other. However, the issue arises because the call is supposed to be recorded and stored on an AWS instance.</P></LI><LI><P>After taking a packet capture on the firewall, I noticed that the communication is being dropped due to the following message:</P><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV><DIV class=""><SPAN>flow_predict_convert_rtp_drop <SPAN class="">480</SPAN> <SPAN class="">100</SPAN> drop <SPAN class="">flow</SPAN> pktproc Packets matching rtp/rtcp predicts of sip are dropped due <SPAN class="">to</SPAN> waiting for predicts merging.</SPAN></DIV><DIV class="">&nbsp;</DIV></DIV><P>When I check the active session, I see that once the communication starts, the <STRONG>source appears as 0.0.0.0</STRONG> (see attached image). After several minutes (sometimes seconds), the active session updates and shows the correct original source.</P></LI><LI><P>We ran a test where we kept the call active for about 20 minutes, and we found that the recording only starts after around 15 minutes.</P></LI></OL><P>We’ve already modified the NAT and Security Rules, but the issue persists. Currently, the security rules for this traffic are based on ports (not App-ID):</P><UL><LI><P>One rule handles <STRONG>signaling traffic</STRONG> (source/destination, port 5060).</P></LI><LI><P>The other rule is for the <STRONG>softphone traffic</STRONG> (source/destination, UDP ports 10000–40000).</P></LI></UL><P><STRONG>Note:</STRONG> In another similar scenario using a <STRONG>Cisco physical phone</STRONG>, everything works perfectly.</P><P>&nbsp;</P><P>As an example, the communication is</P><P>&nbsp;</P><P><BR />192.168.10.26 -&gt; 200.10.245.209 puerto 5060 (signaling)<BR /><BR />10.20.30.136(Softphone) -&gt;200.10.245.209 puertos 10000 a 40000 (CALL)</P><P>&nbsp;</P><P>Please, can anyone help me with this issue? I'd be very grateful&nbsp;</P> Sun, 09 Nov 2025 19:44:21 GMT aalfaro 2025-11-09T19:44:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/issue-with-call-recording-flow-predict-convert-rtp-drop/m-p/1241472#M6436 <P>Hi Team,</P><P>We’ve been experiencing issues with the communication between a Cisco softphone and the call recorder. Below is the scenario and a description of the problem:</P><OL><LI><P>When users place calls from a Cisco softphone, the call is established successfully, and both parties can hear each other. However, the issue arises because the call is supposed to be recorded and stored on an AWS instance.</P></LI><LI><P>After taking a packet capture on the firewall, I noticed that the communication is being dropped due to the following message:</P><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV><DIV class=""><SPAN>flow_predict_convert_rtp_drop <SPAN class="">480</SPAN> <SPAN class="">100</SPAN> drop <SPAN class="">flow</SPAN> pktproc Packets matching rtp/rtcp predicts of sip are dropped due <SPAN class="">to</SPAN> waiting for predicts merging.</SPAN></DIV><DIV class="">&nbsp;</DIV></DIV><P>When I check the active session, I see that once the communication starts, the <STRONG>source appears as 0.0.0.0</STRONG> (see attached image). After several minutes (sometimes seconds), the active session updates and shows the correct original source.</P></LI><LI><P>We ran a test where we kept the call active for about 20 minutes, and we found that the recording only starts after around 15 minutes.</P></LI></OL><P>We’ve already modified the NAT and Security Rules, but the issue persists. Currently, the security rules for this traffic are based on ports (not App-ID):</P><UL><LI><P>One rule handles <STRONG>signaling traffic</STRONG> (source/destination, port 5060).</P></LI><LI><P>The other rule is for the <STRONG>softphone traffic</STRONG> (source/destination, UDP ports 10000–40000).</P></LI></UL><P><STRONG>Note:</STRONG> In another similar scenario using a <STRONG>Cisco physical phone</STRONG>, everything works perfectly.</P><P>&nbsp;</P><P>As an example, the communication is</P><P>&nbsp;</P><P><BR />192.168.10.26 -&gt; 200.10.245.209 puerto 5060 (signaling)<BR /><BR />10.20.30.136(Softphone) -&gt;200.10.245.209 puertos 10000 a 40000 (CALL)</P><P>&nbsp;</P><P>Please, can anyone help me with this issue? I'd be very grateful&nbsp;</P> Sun, 09 Nov 2025 19:44:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/issue-with-call-recording-flow-predict-convert-rtp-drop/m-p/1241472#M6436 aalfaro 2025-11-09T19:44:21Z