Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
10
Helpful
5
Replies

ZBFW with SIP

Go to solution
Keith McElroy
Level 1
Level 1

‎01-24-2013 07:30 AM - edited ‎03-11-2019 05:51 PM

Hope this is the right spot for this. I am running an 891W with a ZBFW setup as the CPE, software c890-universalk9-mz.150-1.M4.bin. The issue I am working with is we are using a hosted platform for SIP and trying to register a phone through the SBC. I control the ISP side, this is a test with a customer that we have access to the CPE on. The phone registers fine, I can see the SIP pinhole being made and packets flowing. The problem seems to be when the SBC relays the 401 unauthorized to challenge the authentication, it never gets through the firewall. When we checked with a sniffer, we see the packet going out the SBC and the port matches the pinhole on the firewall including the port info, but no packets ever get to the phone. Does anyone know why this would happen?

Also, the phone is sending out PRACK messages, but they never are seen on the SBC side, it seems like they are not flowing through for some reason.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎01-24-2013 12:21 PM

Hello Keith,

Thanks for the explanation.

Would you mind to show the community the exact commands you run so we can learn from you .

Also please mark the question as answered so future users can learn from this,

5 stars for you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-24-2013 09:43 AM

Hello,

Can you check what you have configured for this,

Also enable the logs,

ip inspect log drop-pkt

try to register and do

show logging | include x.x.x.x ( Call manager or host where the phones will register)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Keith McElroy
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 11:58 AM

Well, I found the work around. I found the errors for invalid SIP headers, so I ran the "match protocol-violation" bypass and it seems to work. Sort of worries me that there is a problem in the SIP header, but I don't think there is much I can change since it is Polycom phones going to a Broadsoft platform.

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎01-24-2013 12:21 PM

Hello Keith,

Thanks for the explanation.

Would you mind to show the community the exact commands you run so we can learn from you .

Also please mark the question as answered so future users can learn from this,

5 stars for you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Keith McElroy
Level 1
Level 1
In response to Julio Carvajal

‎01-24-2013 12:43 PM

class-map type inspect sip match-any SIP

match  protocol-violation

class-map type inspect match-any SIP1

match protocol sip

policy-map type inspect Out

  class type inspect SIP1

    inspect

    service-policy sip SIP1

There is the basic config I tossed into my outbound policy along with my other config to allow other traffic for users. I am still confused why Polycom has a header failure, but I will have to see if that is something we can have fixed.

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎01-24-2013 12:49 PM

Hello Keith,

Exactly, great to have that info,

Thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card