Behavior of the 3 possible options -SIP flow with TCP - SIP TCP cleartext

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Behavior of the 3 possible options -SIP flow with TCP - SIP TCP cleartext

L4 Transporter
Hello good afternoon everyone LiveCommunity.
 

For an environment with TCP-SIP with the ALG disabled at App "SIP" level and/or with AppOverride, I would understand that these options should no longer generate any noise, problem or unwanted behavior no ?

 

PAN-OS 9.1.14 - Layer 2 FW - HA

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-session/t...

 

Has anyone had cases with SIP TCP with the ALG disabled at App "SIP" level and/or with AppOverride, with SIP-TCP flows.

What is the recommended option(s), for an environment like the one discussed, when setting, setting and/or applying the correct option.

 

SIP TCP cleartext:

-Always Off

-Always enabled

-Automatically enable proxy when needed

 

Thanks for the comments, collaboration and your time

 

Best Regards

High Sticker
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

That's a great question.  I had an issue with a customer years ago that TCP SIP broke after an upgrade to PAN-OS 9.1.  It was working fine on 9.0.  No other changes were made besides the upgrade.  Turning off SIP ALG or creating an application overrride policy fixed the issue.  I have also seen the issue on PAN-OS 10.1.  I opened a TAC case and asked that they create a bug, but was ignored.  With regard to the 1st customer, I tried modifying the SIP TCP cleartext settings, but that didn't work.

 

All the VoIP vendors recommend disabling SIP ALG because they have had issues with it on firewalls for many years.  You probably already know this, but for others viewing this post, it is important to understand what SIP ALG does:

 

  1. Modifies the VoIP endpoints in the SIP packet if the PA NGFW is performing NAT.
  2. Dynamically opens "holes" in the NGFW to allow RTP traffic defined in the SIP packet.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK (second line)

https://live.paloaltonetworks.com/t5/pancast/pancast-episode-8-application-level-gateway-alg-for-voi...

 

If your SIP traffic is not NATed and you have rules to allow the RTP traffic, you can disable SIP ALG.  If your SIP traffic is NATed, most vendors have a way of configuring the NAT IP addresses on the SIP gateway in order to disable SIP ALG.

 

Sorry that I didn't answer your TCP SIP cleartext question.  Changing those settings did not fix the issue above.  It is also worth mentioning that UDP SIP worked fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

That's a great question.  I had an issue with a customer years ago that TCP SIP broke after an upgrade to PAN-OS 9.1.  It was working fine on 9.0.  No other changes were made besides the upgrade.  Turning off SIP ALG or creating an application overrride policy fixed the issue.  I have also seen the issue on PAN-OS 10.1.  I opened a TAC case and asked that they create a bug, but was ignored.  With regard to the 1st customer, I tried modifying the SIP TCP cleartext settings, but that didn't work.

 

All the VoIP vendors recommend disabling SIP ALG because they have had issues with it on firewalls for many years.  You probably already know this, but for others viewing this post, it is important to understand what SIP ALG does:

 

  1. Modifies the VoIP endpoints in the SIP packet if the PA NGFW is performing NAT.
  2. Dynamically opens "holes" in the NGFW to allow RTP traffic defined in the SIP packet.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK (second line)

https://live.paloaltonetworks.com/t5/pancast/pancast-episode-8-application-level-gateway-alg-for-voi...

 

If your SIP traffic is not NATed and you have rules to allow the RTP traffic, you can disable SIP ALG.  If your SIP traffic is NATed, most vendors have a way of configuring the NAT IP addresses on the SIP gateway in order to disable SIP ALG.

 

Sorry that I didn't answer your TCP SIP cleartext question.  Changing those settings did not fix the issue above.  It is also worth mentioning that UDP SIP worked fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello colleague @TomYoung 

 

Thanks for your time and great response. A few months ago I experienced a similar issue, where from version 8.0, we upgraded the firewalls to 9.1.14. And of course after this, this began to occur problems with SIP with TCP, especially with the registration of IP phones and one-way calls.
Yes, the first thing we proceeded to do was to disable the ALG of the SIP app, after that there was some improvement, but the problem kept repeating, so we had to create an app override, for all SIP flows in TCP and UDP.

 

You know, and I discussed this with TAC and their answer was super ambiguous, where for example if you check the known issues, from all versions 9.1.X to 9.1.14 there is nothing about SIP with TCP. Now if you look at the Addresses Issues, from version 9.1.14h1, 9.1.14h4 and 9.1.15 there are several address Issues, such as:


"Fixed an issue where Session Initiation Protocol (SIP) REGISTER packets did not get transmitted when application-level gateway (ALG) and SIP Proxy were enabled, which caused a SIP-registration issue in environments where TCP retransmission occurred.". But if you check the Known Issues and the consolidated, they don't point out anything about SIP, but then they are pointed out as Addresss Issues.

 

-https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-14-h1-addressed-issues#panos-addressed-issues-9.1.14

-https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/known-issues/known-issues-related-to-pan-os-9-1-releases

 

I contacted TAC, and they first did not give me an answer to the issue, and then just said that this came from version 9.0, but had not been published in 9.1 because they could not be detailing the issues cumulatively ... but this if they do in other cases, with other issues, but with these SIP issues, they acted differently and to me it seemed a little negligent and somewhat terse response.

 

I still have not been able to update those FWs due to operation issues to 9.1.14H4 or 9.1.15, although at this point we should be at least in 10.1.X with this partner, but it has been complicated by the operation issues and that they give dates for maintenance windows.

 

For the same reason I was asking about these options, normally nobody modifies them, nor touches them, there are not many comments, nor is there much documentation or detail about these options, therefore I was asking, if someone has made you feel these options or if you have had to deal with scenarios where you have to modify the parameters of SIP TCP cleartext, in scenarios with SIP with TCP.

 

Thanks for your time, comments, details and advice.

 

Best regards

High Sticker
  • 1 accepted solution
  • 2073 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!