Apple FaceTime Calls Not Working due to Failing STUN Requests

Apple FaceTime Calls Not Working due to Failing STUN Requests

37404
Created On 09/25/18 19:54 PM - Last Modified 06/12/23 10:33 AM


Resolution


 

Overview

This article discusses Apple FaceTime calls not working due to failing STUN (Session Traversal Utilities for NAT) requests when the connection is traversing the firewall. This behavior can be seen intermittently. FaceTime calls can be initiated/received on Apple devices like iPhone, Mac, iPads and so on. The emphasis of this article is on the failure of STUN requests, which are dropped by the firewall due to misconfiguration.

 

Details 

In simple terms, STUN is a protocol used to enable a device running behind a NAT device to discover its public IP and port. This protocol is widely used in VOIP communications to mitigate issues arising due to NAT implemented by firewalls and routers.

 

The standard and widely used port for STUN is 3478/UDP. Apple's implementation of STUN uses UDP port 3478 along with other non-standard ports (3478 through 3497/UDP). So an Apple STUN client, such as iPhone, Mac, iPad, and so on, can send a STUN allocate request on any of the ports, as mentioned above, and the STUN server would reply.

 

Note: Please refer to Apple technical documentation for any changes in ports used for STUN.

 

Issue

FaceTime calls do not connect or connect only intermittently, with failing STUN requests.

 

While configuring security policies to allow application facetime, the following applications are required to be allowed

due to FaceTime's dependency on them:

 

ichat-av, sip, ssl, stun, web-browsing

Snip20151028_21.png

  

A common notion would be to allow all the above required applications with service as application-default.

This is where the problem arises with STUN allocate requests failing.There are a few scenarios to be considered:

 

STUN requests are sent on port 3478Works without any issues since the application-default behavior allows traffic on port 3478
STUN requests are sent on any of the ports, 3479 through 3497

Fails since the firewall restricts the application STUN to port 3478 and STUN traffic on any other ports is not allowed

STUN requests are sometimes sent on 3478 and sometimes sent on 3479 through 3497Fails intermittently

 

 

Solution

There are two solutions that can mitigate the problem of STUN requests being dropped due to use of the service as application-default.

 

Create a separate policy for application STUN with service as a custom application, which includes all the required ports such as UDP 3479 through 3497. In the following example, a custom service, STUN_Custom_Service, is configured and added in the security policy.

 

  • Configure the custom service.

Snip20151028_22.png 

  • Add the custom service in the policy.

Snip20151028_23.png
 

Create a policy to allow application STUN with service with Any, to allow STUN to use any L4 port. This alternative is less secure, as it opens all the ports for STUN.

 

Note:

The above discussion is valid for STUN implementation by Apple.

Please refer to Apple technical documentation for any changes in ports used for STUN.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhNCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language