RTP traffic not matching App-ID Rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

RTP traffic not matching App-ID Rule

L1 Bithead

I have a strange issue where I have a configured rule to allow the "rtp" and "rtcp" App-IDs with application-default service from any-to-any. Below that rule I have a generic permit-any rule with application service any. Screenshots below. The behavior I am running into is that positively identified rtp and rtcp sessions are not matching my higher rule, and instead are flowing down to the permit-any-any rule, however when I check the security logs, they are showing the app being correctly identified as rtp or rtcp.

 

There doesn't appear to be anything in common between the traffic that does or does not match, such as a port number. The APP-ID for RTP lists the port range as dynamic so I am assuming this isn't an issue related to the port range.

 

I also looked into weather or not the issue is related to pinhole traffic from the SIP session which sets up the RTP predict session, but according to the documentation there is still a requirement to have an APP-ID rule matching the RTP/RTCP traffic. We do have SIP AGL enabled (default setting) but I would think since my rule is so permissive (any/any source/dest) the SIP AGL functionality is irrelevant.

 

Edit: We are running 10.1.5-h1 and I have checked known issues, but didn't find anything that sounded relevant.

 

Any help is appreciated!

 

IanGraham_0-1704745546729.png

IanGraham_3-1704745826139.png

IanGraham_2-1704745786416.png

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@IanGraham,

I've actually found in regards to RTP and RTCP that you actually do want to switch the service to any to reliably identify this traffic and have it match your policy appropriately. I'd want to scope that rule a bit better before making that change however since you've got it wide open at the moment. 

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

@IanGraham,

I've actually found in regards to RTP and RTCP that you actually do want to switch the service to any to reliably identify this traffic and have it match your policy appropriately. I'd want to scope that rule a bit better before making that change however since you've got it wide open at the moment. 

  • 1 accepted solution
  • 363 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!