https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37133#M27237 <HTML><HEAD></HEAD><BODY><P>The help desk did all the work on the answer, I just put it with my post for everyone!</P></BODY></HTML> Wed, 09 Mar 2011 18:52:45 GMT manuel2000 2011-03-09T18:52:45Z https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37131#M27235 <HTML><HEAD></HEAD><BODY><P>Hi All; </P><P></P><P>I have an outside VOIP server running H323.&nbsp; The phones internally use a keep-alive mecahnism over UDP 5000 as a destination and varying source ports.&nbsp; </P><P></P><P>The server on the untrust side of the firewall will send the same keep-alives in response. This is known by some firewalls as a UDP conversation or sometimes is necessary in transparent mode.&nbsp; </P><P></P><P>The service drops connections if the packet is not returned by the server to the phone.&nbsp; To the PA by default the service appears to initiate a connection from Untrust to Untrust as a response, though it should be part of the Trust (Phone) to Untrust (Server) communication as a response.&nbsp; </P><P></P><P>On Cisco, Checkpoint and Juniper There are fixups for the protocols and an extension of for the timeout valuees for UDP that are necessary.&nbsp; </P><P></P><P>Is there a way for me to allow these UDP conversations prevalent in voice communication over IP? </P></BODY></HTML> Wed, 09 Mar 2011 16:17:04 GMT https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37131#M27235 manuel2000 2011-03-09T16:17:04Z https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37132#M27236 <HTML><HEAD></HEAD><BODY><P>Hi All;&nbsp; It turns out that the reason the second communication was showing as initiated from the VOIP Server was due to the UDP default timeout being 30 seconds.&nbsp; To find out if this is the case with your installation on the command line goto: </P><P></P><P>show session info </P><P></P><P>UDP Timeout will show as 30 seconds by default. </P><P></P><P>If you then use "Application Override" you will be able to adjust the TCP, UDP and other timeouts for the application, in my case the specific VOIP app. </P><P></P><P>I also found it helpful that should the connections stay open that show session info told me that at 80% of the allowable number of sessions (in a PA500 this is 65000), the timers will be halfed, saving me the problem of sessions bogging down the system if too many are open.</P><P></P><P>This feature is important as something like a Syslog server that matched the application override would produce millions of open (and staying open) UDP connections.</P><P></P><P>Anyway, Pen Name Manuel OUT!.&nbsp; </P></BODY></HTML> Wed, 09 Mar 2011 18:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37132#M27236 manuel2000 2011-03-09T18:51:50Z https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37133#M27237 <HTML><HEAD></HEAD><BODY><P>The help desk did all the work on the answer, I just put it with my post for everyone!</P></BODY></HTML> Wed, 09 Mar 2011 18:52:45 GMT https://live.paloaltonetworks.com/t5/general-topics/udp-conversations-for-voip/m-p/37133#M27237 manuel2000 2011-03-09T18:52:45Z