- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-05-2013 07:24 AM
I am currently attempting to cut over our office's internal gateway from a BSD firewall to our PA-2050 (running PAN-OS 4.1.9). When attempting the cutover, I can get all services to work properly with the exception of our two VoIP servers (running Trixbox, which is Asterisk-based). I can get the servers to make a call, but once connected there is no audio on either end. Both servers are using a 1:1 NAT through the firewall and I am only allowing SIP and RTP ports to be allowed from the internet. The only changes that were made were to the PA-2050's Ethernet interfaces to replace the existing gateway for the VoIP servers.
I had previously worked with Palo Alto Support to work through this. They had me set up an Application Override across all ports for both servers, which worked while testing. Unfortunately, every attempt at going live results in a lack of audio when calls are connected. Viewing the traffic log, it appears as if the RTP traffic is flowing normally. I really need to get this cutover completed, but am unable to do so until I can get the audio working. Has anyone else run into a similar issue? If so, how were you able to get audio working properly.
09-12-2013 05:35 AM
I think it may be a NAT issue after my latest cutover attempt. I changed the default gateway of one of the VoIP servers to my PA-2050's interface again and continue to get one-way audio. This is also after commenting out the NAT rule in the BSD firewall as well as clearing the ARP table in the Edge Router. I decided to reboot the VoIP server and then was completely unable to reach the internet on the server, so all calls immediately got an "All circuits are busy now" message. I have the NAT working for several other servers, and the NAT rules match those exactly. This is incredibly frustrating and Palo Alto Support has largely been unhelpful.
09-12-2013 11:44 AM
Found out some more information after spending most of my day with Support. Our Edge Router keeps showing an ARP entry for the address I'm attempting to NAT my VoIP server to. I've already commented out the NAT rule in that firewall, as well as deleted two static routes that had been entered into the firewall. I'm still unable to clear that ARP entry from my Edge Router. It is a Cisco router, and I can't seem to find any answers that permanently remove the ARP entry.
09-12-2013 01:10 PM
Hello,
If you have a case with PA support open, could you mention the case number?
09-12-2013 02:05 PM
Please verify if SIP app override is done on Port UDP/5060 if SIP is using UDP. Otherwise it should be on TCP/5060
09-16-2013 08:30 AM
Ok, it looks like the issue has finally been resolved. What finally solved the issue was setting up the addition of two Application Overrides for SIP: one for UDP and one for TCP. To be safe, we set the port numbers pretty wide open (1034-65535).
09-16-2013 11:27 AM
Hmm that's weird. In my particular case I had to let the PA see SIP normally, but I did overrides for RTP and RTCP. Weird.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!