Hi all, where I work, we are having difficulty in getting the Wildix IP Phone Phonebook to work through our PaloAlto PA-220 firewall what we use for all SIP traffic. (Wildix is a make of IP phones we are using.)
I keep seeing dropped traffic like the below (drop.pcap), which is strange as the source address is showing the WAN IP and not the LAN IP of the Wildix IP phones. Capture taken directly on the PA-220 it's self.
(For testing below, all application default services and protocols allowed out from internal LAN subnet to to any source destination.)
2861 70.291031 193.195.XXX.XXX ec2-3-9-XXX-XXX.eu-west-2.compute.amazonaws.com TCP 214 5070 → 80 [PSH, ACK] Seq=1 Ack=1 Win=3650 Len=148 TSval=4294942132 TSecr=2835647103 186844.
Not sure if it is a NAT issue, but the phones work ok on making and receiving calls, but not the phone book. The Phonebook works ok when a Wildix phone is connected up to ones personal domestic wireless router.
Please give me advice, but I think I will do a Wireshark capture directly on the phone it's self next.
So your phonebook gets pulled from an Amazon AWS address? If that's the case it should be getting NAT'd by something, whether that be the PA-220 or something you have in front of that.
The test rule that you have described isn't what I would configure for this. Create a rule so that a test phone can communicate to the outside completely unfiltered (application any, service any, action allow, no security profiles applied) and see if the phonebook works. That will tell you if it's a security rulebase or a NAT rulebase issue. Also, for troubleshooting this remember to set your interzone-default to log so that you actually get logs of any traffic that's just getting dropped.
Thanks for the update and quick reply. I'll be sure to keep an eye on this thread. Looking for the same issue. Bumped into your thread. Thanks for creating it. Looking forward for solution
Resolved: Turned out the Wildix phones phonebook was using SSL over TCP port 80 and not port 443.
Created a custom service for TCP Port 80 and then applied that custom service to a new rule for just SSL traffic from the phones.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!