Audio Issues with Asterisk via PA-2050

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Audio Issues with Asterisk via PA-2050

L2 Linker

I am currently attempting to cut over our office's internal gateway from a BSD firewall to our PA-2050 (running PAN-OS 4.1.9).  When attempting the cutover, I can get all services to work properly with the exception of our two VoIP servers (running Trixbox, which is Asterisk-based).  I can get the servers to make a call, but once connected there is no audio on either end. Both servers are using a 1:1 NAT through the firewall and I am only allowing SIP and RTP ports to be allowed from the internet.  The only changes that were made were to the PA-2050's Ethernet interfaces to replace the existing gateway for the VoIP servers.

I had previously worked with Palo Alto Support to work through this.  They had me set up an Application Override across all ports for both servers, which worked while testing.  Unfortunately, every attempt at going live results in a lack of audio when calls are connected.  Viewing the traffic log, it appears as if the RTP traffic is flowing normally.  I really need to get this cutover completed, but am unable to do so until I can get the audio working.  Has anyone else run into a similar issue?  If so, how were you able to get audio working properly.

20 REPLIES 20

I think it may be a NAT issue after my latest cutover attempt.  I changed the default gateway of one of the VoIP servers to my PA-2050's interface again and continue to get one-way audio.  This is also after commenting out the NAT rule in the BSD firewall as well as clearing the ARP table in the Edge Router.  I decided to reboot the VoIP server and then was completely unable to reach the internet on the server, so all calls immediately got an "All circuits are busy now" message.  I have the NAT working for several other servers, and the NAT rules match those exactly.  This is incredibly frustrating and Palo Alto Support has largely been unhelpful.

L2 Linker

Found out some more information after spending most of my day with Support.  Our Edge Router keeps showing an ARP entry for the address I'm attempting to NAT my VoIP server to.  I've already commented out the NAT rule in that firewall, as well as deleted two static routes that had been entered into the firewall.  I'm still unable to clear that ARP entry from my Edge Router.  It is a Cisco router, and I can't seem to find any answers that permanently remove the ARP entry.

Hello,

If you have a case with PA support open, could you mention the case number?

L6 Presenter

Please verify if SIP app override is done on Port UDP/5060 if SIP is using UDP. Otherwise it should be on TCP/5060

L2 Linker

Ok, it looks like the issue has finally been resolved.  What finally solved the issue was setting up the addition of two Application Overrides for SIP: one for UDP and one for TCP.  To be safe, we set the port numbers pretty wide open (1034-65535).

Hmm that's weird. In my particular case I had to let the PA see SIP normally, but I did overrides for RTP and RTCP. Weird.

  • 11589 Views
  • 20 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!