https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/999929#M122698 <P>Hello everyone , im seeing a very strange behaviour in my pa-445 version 11.1.4-h7 firewall , where i have an interface on the firewall which is a gateway to my voip devices , the same firewall connects to the voice server through an ipsec tunnel interface , so the traffic flow is like this , voice subnet to firewall and then from firewall to voice server through the tunnel , however on logs i see that the same voice subnet is entering the tunnel interface as "source" &amp; with the "source zone" since its hitting this tunnel interface and ofcourse its denied since the allowed rule is from branch "voice zone" to "hq zone" , however im only seeing this for voice subnet and only on SIP application .</P> <P>i would really appreciate any help &amp; thanks</P> Wed, 01 Jan 2025 12:50:42 GMT Esameldin 2025-01-01T12:50:42Z https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/999929#M122698 <P>Hello everyone , im seeing a very strange behaviour in my pa-445 version 11.1.4-h7 firewall , where i have an interface on the firewall which is a gateway to my voip devices , the same firewall connects to the voice server through an ipsec tunnel interface , so the traffic flow is like this , voice subnet to firewall and then from firewall to voice server through the tunnel , however on logs i see that the same voice subnet is entering the tunnel interface as "source" &amp; with the "source zone" since its hitting this tunnel interface and ofcourse its denied since the allowed rule is from branch "voice zone" to "hq zone" , however im only seeing this for voice subnet and only on SIP application .</P> <P>i would really appreciate any help &amp; thanks</P> Wed, 01 Jan 2025 12:50:42 GMT https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/999929#M122698 Esameldin 2025-01-01T12:50:42Z https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/1000008#M122716 <P>&nbsp;</P> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/331522">@Esameldin</a>&nbsp;,</P> <P>Just to confirm, are you saying that the SIP traffic from your voice subnet is being incorrectly processed as originating from an unintended zone, rather than the local voice zone? If possible, could you please share screenshots (with IPs blurred out) to help us further investigate the issue?</P> Thu, 02 Jan 2025 23:22:25 GMT https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/1000008#M122716 JayGolf 2025-01-02T23:22:25Z https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/1000028#M122722 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a>&nbsp;,</P> <P>&nbsp;</P> <P>yes the traffic is actually generating from the supposed egress interface , its like sent packets are just coming back to the same interface it left , and on the HQ (destination) firewall i have no such logs so traffic is not being generated from HQ, please refer to the below screenshot</P> <P>On the below screenshots you will find the ingress and egress interfaces , and also normal legal traffic , &amp; the unusual traffic (as per the routing table when traffic is hitting the HQ interface its redirected back to HQ ) &amp; so its denied by zone policy</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Direct;y Connected Voice interface" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65018i6185DE0077B07B31/image-size/large?v=v2&amp;px=999" role="button" title="voice-zone.png" alt="Direct;y Connected Voice interface" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Direct;y Connected Voice interface</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hq-interface.png" style="width: 720px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65017i7F61E330568C417E/image-size/large?v=v2&amp;px=999" role="button" title="hq-interface.png" alt="hq-interface.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sip-legal-traffic" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65019iA1226EC0EEA8CA2C/image-size/large?v=v2&amp;px=999" role="button" title="sip-legal-traffic.png" alt="sip-legal-traffic" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">sip-legal-traffic</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sip-illegal-traffic" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65020iE02CA2260FB1CB37/image-size/large?v=v2&amp;px=999" role="button" title="sip-illegal-traffic.png" alt="sip-illegal-traffic" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">sip-illegal-traffic</span></span></P> Fri, 03 Jan 2025 04:37:24 GMT https://live.paloaltonetworks.com/t5/general-topics/a-very-weird-behavior-on-sip-traffic-traffic-reversing-back-to/m-p/1000028#M122722 Esameldin 2025-01-03T04:37:24Z