Compatibility with Juniper FW

epicolo · ‎05-22-2012

Hi all,

does anyone had bad experience when using a Firewall Traversal solution with Juniper SSG 520, Firmware 6.1.0r1.0 ?

The Juniper has all VoIP/H323/SIP ALG disabled, but when some H323/H460 traffic pass this FW, it cuts the TCP signaling after a few seconds.

It is not a drop, the FW itself send a packet to the source (RST) to close the TCP session (H245) and after this, the call is disconnect by the source, as no toher TCP cross the FW for that call.

Any know issue or know incompatibility with this FW?

PS: When i change the registration to Assent, it doesn´t recognize that it is a H323 call, because Assent don´t use port 1720.

It is some embbeded feature that do packet inspection or something like this.

Thanks

Elter

awinter2 · ‎05-22-2012

Hi Elter,

I'm not aware of any particular incompatibilities between VCS and this firewall, but if the firewall actively sends RST to the source of H460 traffic, it definitely sounds like the H323 ALG is in fact not disabled (If this behavior only occurs for H460 traffic).

RST could also simply mean that the firewall does not allow outbound traffic between this source and destination address/port, but I assume that you have already checked that?

Assent and H460 uses different ports for H225/H245 so that might explain the different behavior.

- Andreas

epicolo · ‎05-22-2012

Hi Andreas,

the customer swears that ALG is disabled, but this is not what look like.

Regarding ports, the rule is to allow any<->any.

The strange behaviour is that the call completes and it works for about 30 seconds and then, the FW actively cuts all TCP traffic (like some timer has elapsed). Very rare.

Thank for your comments.

Regards

Elter

awinter2 · ‎05-22-2012

Elter,

in that case it would probably be a good idea for this customer to raise a support case with Juniper to investigate why the FW tears down the connection, since this should not occur.

- Andreas