Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
1
Replies

MRA No Media

Erol Karaseki
Level 1
Level 1

‎02-22-2018 11:44 AM - edited ‎03-17-2019 07:21 PM

Hi Folks !

We have an interesting problem.

 

We designed a MRA and B2B for our customer.

They are using 2 different DMZ network. Design is like that;

 

Local endpoints -> CUCM -> EXPC -> Checkpoint(DMZ 1)->EXPE->Fortigate(DMZ 2)->Internet->Vpnless Jabber Clients

 

EXPE is dual interface and EXPC connectivity between EXPE's internal(DMZ1 ip) is ok via L3(We can see all zones are active and clients can login via internet using MRA)

 

Here is the problem and tricky part; When a vpnless jabber(jabber login from internet towards expe) initiate a call to a local endpoint, everything is good, call starts and media flows however when a local endpoint initiate a call to the vpnless jabber, signalling is ok but there is no media flows between devices.

Furthermore, when a vpnless jabber calls to another vpnless jabber same media problem occurs(signalling is ok and call starts)

 

There is no problem for local calls too.

Also firewall ports are opened(on both CP and FG we can see on live logs during call there is no deny)

 

I know this is weirdo, what can be the problem you think ?

 

Thanks !

0 Helpful
1 Reply 1

Slavik Bialik
Level 7
Level 7

‎02-22-2018 01:06 PM

Did you try to disable (if enabled) SIP inspection on both Firewalls. Those issue are more common on Checkpoint, it has a very intensive SIP Inspection feature, I had lots of issues because of this, on CP. Try to see in CP in all of you policies, if you're using the standard object service of SIP. If so, 99% it is configured with a default inspection (if you double click on your object, and go to advanced - if I recall correctly - you'll somewhere find a drop-down box of a protocol type, and if it's not set to NONE it means it uses inspection). If that's the case, just create another SIP (TCP/5060) object and apply it instead in the policies. I also suggest checking the TCP/5061 (SIP over TLS) service object you're using from the Internet towards Expressway-E, although it is in the FortiGate, and I don't remember how to disable SIP inspection over there).

 

Another thing I would do... is the gather wireshark capture from Expressway-C when you're making this call (via Diagnostics, just check that you also want to gather the tcpdump), and there you'll see the SIP from CUCM to Expressway-C, and also the RTP streams. So you can easily understand if you have 2 streams or only one. And if you have 2 (both ways), just see if source and destination in both streams are correct. Where am I getting...? I fear that CP is making NAT, because CP is always all about NATs, by default CP do NAT on all traffic, unless you state in the NAT list that list of sources and destinations will be kept as original (we call it No NAT rules). So maybe this is you issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents