We upgraded our PA5020 from 5.07 to 6.0.1 to utilize TLS 1.2 to handle decryption but as a result we have created an issue with our phones. We have a couple call managers behind the PA5020's at our data center and several branch offices around the world that rely on them. The branch MGCP gateway uses UDP 2427 to send notification messages and TCP 2428 to handle call setup etc....When we place an outbound call from a branch, the phone (Cisco 8961) works fine for approx 23 seconds and then goes into preservation mode, which keeps the call connected in a "fail over" state however phone features like hold, transfer etc no longer work. When we do a packet capture we can see the UDP 2427 MGCP packets being dropped and then subsequent retries and then at which time the call manager assumes it has lost connectivity to the MGCP gateway and the phone goes into preservation mode. Here are some things we have done thus far:
-created a rule to allow everything from anywhere going to anywhere to ensure there was no policy causing an issue
-since these are SIP phones we disabled SIP ALG, but it's not the SIP portion that has an issue, so no change
-created an application override for MGCP with UDP and TCP ports 0-65535 for good measure and still the packets are dropped
We do have a call in with TAC, but since this is affecting every branch, it's getting a little warm under the collar. We may have no choice but to revert back to 5.x but thought I would throw it out there to the community in case someone has some other ideas we can try.
I have added the following configuration "set deviceconfig setting tcp asymmetric-path bypass" and it worked now for 7 minutes before failing. Second time was 3 minutes
I had similar problems with our VoIP devices. I still on 5.x PAN and I have Appliction Override for that. TAC told me that my problem will be solved in PAN 6.x.
Something similar to VOIP Traffic Disconnects Every 30 Seconds or https://live.paloaltonetworks.com/message/15066#15066
My branch is still running 5.x and the data center 6.x......and this time I re-created the application overrides for SIP, RTP and MGCP at both the branch and datacenter and so far my call has been up for 25 minutes!
this is apparently supposed to be fixed in 6.0.3 in case anyone else runs into this, but still waiting for that release to test. I had to make an application override on both ends (branch and data center) for the MGCP packets to flow properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!