https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195450#M58372 <P>No, Its not about 3way handshake. I thought it when this case was opened.&nbsp;</P><P>I was thinking that maybe some voice (RTCP) connections are differents and for that its jumping the first rule. But i can not see anythign different between them.</P><P>I will try to take pcaps to see the behaviour.&nbsp;</P><P>&nbsp;</P> Wed, 17 Jan 2018 08:17:03 GMT soporteseguridad 2018-01-17T08:17:03Z https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195274#M58349 <P>Hi,</P><P>&nbsp;</P><P>We have created a rule for Voice IP.</P><P>&nbsp;</P><P>Zone A to Zone B / Application RTP - RTCP / Service ANY / PERMIT</P><P>&nbsp;</P><P>So all the voice RTP connections should matched in the previous rule, but we are seeing connections which should be matched the previous rule but its matching in this rule:</P><P>&nbsp;</P><P>Zone A to Zone B / ANY / ANY / PERMIT</P><P>&nbsp;</P><P>Its like some connections are jumping the first rule, but we can see in log traffic how the sessions are being identified like RTP and RTCP.</P><P>&nbsp;</P><P>Any idea?</P> Tue, 16 Jan 2018 10:53:30 GMT https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195274#M58349 soporteseguridad 2018-01-16T10:53:30Z https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195342#M58364 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9102">@soporteseguridad</a>,</P><P>Once it's been properly identified by your catch-all rule, do you see subsequent sesions between source/destination on the same port properly matching the first rule?&nbsp;</P> Tue, 16 Jan 2018 17:13:40 GMT https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195342#M58364 BPry 2018-01-16T17:13:40Z https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195450#M58372 <P>No, Its not about 3way handshake. I thought it when this case was opened.&nbsp;</P><P>I was thinking that maybe some voice (RTCP) connections are differents and for that its jumping the first rule. But i can not see anythign different between them.</P><P>I will try to take pcaps to see the behaviour.&nbsp;</P><P>&nbsp;</P> Wed, 17 Jan 2018 08:17:03 GMT https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195450#M58372 soporteseguridad 2018-01-17T08:17:03Z https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195460#M58373 <P>This&nbsp;is the rule to match voice sessions. Numbers 32 and 33.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13263i50E18ACC8F0976AC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.jpg" alt="1.jpg" /></span></P><P>&nbsp;</P><P>And these two rules are below, and sometimes the RTCP&nbsp; and RTP sessions are matching here. Source and destinations arent problem.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13265i3C354168853BD990/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2.jpg" alt="2.jpg" /></span></P><P>&nbsp;</P><P>Here we can session browser. the 3 sessions should match in the third rule.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13266iF031755DEDF2AD57/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3.jpg" alt="3.jpg" /></span></P> Wed, 17 Jan 2018 08:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195460#M58373 soporteseguridad 2018-01-17T08:43:44Z https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195565#M58397 <P>Recently when&nbsp; locking down my voice networks I ran into an issue similarly where RTP&nbsp;was matching the incorrect rule.&nbsp; Come to find out that it was matching the parent session, which in my case was SCCP, that&nbsp;is opening up pinholes and predicting RTP traffic and was causing it to match against a different rule than expected (my signalling rule).&nbsp;</P><P>&nbsp;</P><P>To resolve the issue, I disabled ALG for the SCCP protocol.&nbsp; I opened a case with Palo Alto who came back and had stated that this was working as expected.&nbsp; I dug a little deeper reading and found out that SCCP (and others) performed ALG by default.&nbsp; I had to disable ALG for SIP as well to get Cisco Telepresence to work correctly.</P><P>&nbsp;</P><P>-Matt</P> Wed, 17 Jan 2018 17:55:56 GMT https://live.paloaltonetworks.com/t5/general-topics/rtp-and-rtcp-traffic-jumping-rule/m-p/195565#M58397 mlinsemier 2018-01-17T17:55:56Z