This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About rajqfs
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About rajqfs
08-18-2015
6Posts
1Like
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by rajqfs
| Subject | Views | Posted |
|---|---|---|
| 1583 | 01-30-2013 12:38 PM | |
| 4063 | 01-28-2013 01:48 PM | |
| 2294 | 04-17-2012 01:39 PM | |
| 10819 | 12-16-2011 08:11 AM | |
| 10818 | 12-15-2011 11:02 AM | |
| 14079 | 12-12-2011 11:20 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-30-2013 12:38 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-19-2011 01:00 PM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 6 |
| Total Likes Received | 1 |
01-30-2013
12:38 PM
1 Kudo
I still have the case open with support and they are currently researching the issue. I sent them over my techsupport files and they were able to reproduce the problem on their lab setup. Currently, this is what I have suggested my colleagues to do: 1. Every time the see an ISP failover, login to CLI session and issue the following: a. show session all filter application sip b. show session all filter application unknown-udp Now if all your phones are already registered with your provider, they should all show up on these two commands. It would be nice to have the firewall accurately detect the SIP traffic instead of classifying it as unknown-udp. Now to clear the sessions, all you have to do is issue: a. clear session all filter application sip b. clear session all filter application unknown-udp In regards to performance - This will highly depend on the number of phones you have. Simply put, the firewall would have to process approximately 'N' new sessions every 'X' seconds where 'N' is the total number of phones you have and 'X' is the SIP registration interval. Now, I wouldn't try and do this either as again this is not a scalable solution. I am trying to tackle this from a different perspective. If you notice not all customers who have VoIP phones and using PAN as their firewall are not having this issue (If everyone did, there would be an uproar). So it must be something very specific tied to your VoIP provider or your Phone manufacturer. For example, we use Polycom phones with Vocalocity as our provider. Using Wireshark I observed that, when the phone is not currently on a call, a SIP registration packet is sent out approximately every 15 seconds. I also monitored this phone's session on the firewall itself and confirmed that the TTL is reset every 15 seconds approximately. Now, I logged in to the phone, and I have an option called NAT keep-alive under network settings that is set to 15 seconds. So, I am currently working with my VoIP provider to see if we can make changes to our phone configuration packages. However, at the end of the day, PAN should clear the sessions if there is a failover. I cannot think of a reason why the firewall would not want to do that. I hope we will see a solution to this in the next release scheduled in February.
... View more
01-28-2013
01:48 PM
I am in a similar situation, and I currently have a case open with PAN support. In my case I have dual ISP setup. Every time there is a fail over from my primary to secondary or a fail back from secondary to primary, the SIP sessions hang in limbo. They do not timeout. This is because VoIP phones are constantly sending UDP SIP registration packets and the PAN device resets the TTL for the session. When a packet is received on an interface, the firewall first does a session look up, and if one exists hands it off to that session without further processing. There is an official document that describes how packets are handled inside a PAN firewall if you are interested. One of the things you could do is to set the SIP or unknown-udp application timeout values to be less than the SIP registration interval that your phones use. You would assume this to be 30 seconds but that is not always the case. If you have wireshark running, and properly filter the packets, you'll get a pretty good idea of the time difference between each SIP registration packet. Of course this means that you are putting a lot of load on your firewall and this might increase with the number of VoIP phones you have in your infrastructure. I am waiting on support to come back with a solution, but this might not be as simple a fix as it may seem.
... View more
04-17-2012
01:39 PM
I have a PA-500 that has Dual ISPs for Internet access. I am using a PBF rule to have the traffic go out via the Primary Internet Connection. The default route out to the Internet in the routing table is via the backup internet connection. I have two exisitng IPSec VPN tunnels. There is a static route via the primary internet gateway to each one of the peers of the IPSec tunnel. Now, I need to add another IPSec VPN peer. However, this peer does not have a static IP. The VPN is built using its dns name. IKE negotiation mode is aggressive. 1. The PA-500 is set to only respond to IKE messages and not initiate the VPN tunnel. 2. The peer initiates the tunnel. 3. PA-500 responds with ISAKMP negotiation messages as responder, but then times out. 4. I do not have access to the other peer. I assumed this is because of the PBF policy. Since, there is no static route to the peer of this new tunnel (a static route cannot be set because the peer is dynamic), I assumed the ISAKMP reponses were going out via the secondary Internet gateway. To test this, I did packet captures on the PA-500. However, they show that the PA-500 is responding with a source IP of its primary intterface internet interface. I could not make sense out of it. To test if PBF was the issue, I disabled the PBF policy, add a static route with a better metric via the primary gateway and the Tunnel comes up instantly and I am able to communicate with hosts on the far side of the VPN tunnel. Can someone please shed more information in regards to this behavior? Any help is appreciated. Thanks.
... View more
12-16-2011
08:11 AM
Thank you. This is what I was looking for. Let me see if I can find out what encryption scheme is being used in this case.
... View more
12-15-2011
11:02 AM
Hi. Thank you for your reply. After going through the config files of different devices, I am pretty sure the passwords are not hashed but are encrypted. What we see in the configuration files are definitely not hashes. So the PAN device must be doing something behind the scenes to decrypt these when using them. The question is what encryption/decryption scheme is being used in this case. Thanks.
... View more
12-12-2011
11:20 AM
Are they hashed before storing them in the config files? By the looks of them, it seems like the PAN appliance is storing them in an encrypted format. If so, can they be decrypted? For example, an OSPF key is stored as follows "-AQ==xxxxxxxxxxxxx=xxxxxxxxxxxxx==" This pattern can be observed in almost all of the keys/passwords stored in the XML config. Is there a way to decrypt these keys. I am particularly interested in the OSPF MD5 keys as I need to add new routers to our network but I don't know the key. Has anyone successfully decrypted a PAN key? Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:07 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks