- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-21-2014 05:04 AM
Hello world,
I've the following problem after move a VOIP DMZ on PALO ALTO 2050 5.0.11:
If I dial in from outside, then the answer is almost immediate, so that is fine, but when I call out the line is dead for 35-40 seconds before a ringing tone is heard
I don't uderstand this delay? I try to do an application override but the issue stay. I can't see any drop on the firewall. Somebody know this problem?
thks
11-21-2014 05:12 AM
thks for your answerPANOS
but when I do an application OVERRIDE ALG is not used no?
11-21-2014 05:14 AM
Hi,
You do not say if it is a SIP or H323 VOIP setup? I ask because we had all kinds of problems with SIP through a PA200 with lines dropping and FORBIDDEN messages. As recommended we disabled sip alg and the problem still persisted.
The problem was raised with PA (we sent one of our phones to their test labs in Holland!!). Their engineer finally tied down the problem to the SIP UDP session timeouts. The default on a PA is 30 seconds but our phones were using 45 seconds. Once we changed the timeout to 1 minute the problem went away. It might be coincidence but you are experiencing times to work of around 35 to 40 seconds
Hope this helps.
Phil
11-21-2014 05:14 AM
Yes, as per my understanding you are correct. When app-override in place, it will skip layes-7 processing already (ALG).
Thanks
11-21-2014 05:24 AM
I knew it was the same but it is not
support engineers answer for that
"ALG is a little bit more sophisticated than manual application override, as it just disables an ALG inspection while with app-override we offload the whole traffic"
11-21-2014 05:27 AM
Hi ,
I confirm that the protocol used is sip. So your information is very interesting. I ll try to do this change on the PALO ALTO next week. and inform you about it
thks for your answer.
11-21-2014 06:22 AM
Hi Alle,
SIP is a diverse protocol, every vendor implements it in little different way. While PANW try to stick with RFC becuase of that sometimes it doesn work.
in this situation I would suggest to try with App Override, that can help.
Regards,
Hardik Shah
11-25-2014 04:35 AM
hi,
we had the same issue with Cisco phones. With delay ring and no voice. With application override it works perfectly:
As you can see... from the phone (policies *-1-1; -2-1; 3-1) to our voice network and the other way around (policies *-1-2; -2-2; 3-2). Just create customs app with e.g.: sip-override: udp/5060 ; rtcp-rtp: udp/16384-32767 ; sccp-override: tcp/2000. We are using the policies with the Version 6 as well...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!