PureConnect

 View Only
Discussion Thread View
  • 1.  SIP ALG

    Posted 07-22-2021 10:06
    Hi All,

    I have hit a wall and hoping somebody has some experience with SIP ALG configuration. Since our Purceonnect Install 7 years ago, we have and SIP ALG enabled on our Palo Alto firewalls. A business change requires us to disabled SIP ALG, but when we do we see our SIP Softphones Audio no longer works. 

    The call is made, but no RTP stream is started. Genesis says they normally see problems when SIP ALG is enabled so not sure why we would be seeing issues with it disabled. I do not have access to our firewall, so i have limited understanding of any configuration that might exist causing this.

    Has anybody experienced this no Audio when disabling SIP ALG?

    Thank you,
     Scott
    #Implementation
    #SIP/VolP
    #Telephony

    ------------------------------
    Scott WilliAMs
    Missouri Higher Education Loan Authority
    ------------------------------


  • 2.  RE: SIP ALG

    Posted 07-23-2021 02:57
    A SIP call consists of two parts: the signalling (SIP) and the media stream (RTP). The ports used for RTP are dynamic and negotiated during SIP signalling.
    A firewall must therefore understand the content of the SIP data to find and open the matching RTP-Port.
    If this is not possible, you may define a dedicated Port-Rang for RTP (e.g. set the "Audio Path" to "Always In" in line configuration,
    and set the range in the RtpPortRange property on the Mediaserver, and allow all incomig UDP-Packets using this portrange taregetting the Mediaserver
    to pass the firewall). Or if you want to enhance security by inspecting the content of the RTP packets also, you should consider using a dedicated SBC.

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------



  • 3.  RE: SIP ALG

    Posted 07-23-2021 04:46
    Hi Scott,

    Adding to what Andreas wrote and assuming the SIP softphones (e. g. the PCs on which they are running) as well as the media server would be using private (internal) IP addresses, which are exchanged by the firewall into a public IP. The SIP ALG was taking care of replacing the private IP by the public one in the SIP message (including the SDP body for the media streams exchange), which is can be reached from outside the firewall boundary. If this address replacement is not taking place anymore,  external systems are sending the media streams to the private IPs, which are not routable on the internet, casing the no audio issue.
    Therefore it is important to ensure that outbound packets from the firewall contain public IPs also in the SDP body of the SIP messages. STUN could be a solution, but it is not supported by PureConnect, as far as I know.
    An SBC would care for this as well.
    But the best option seems to be to reenable SIP ALG on the firewall.

    Regards,
    Marcelo

    ------------------------------
    Marcelo Heil França
    InfinIT.cx GmbH
    ------------------------------



  • 4.  RE: SIP ALG

    Posted 07-23-2021 23:28
    Are your SIP Softphones operating across the internet or across a VPN?

    If they are across a VPN you shouldn't use NAT to translate the internal IP addresses to public IP addresses.

    As mentioned, I've seen issues with ALG enabled, but not without.

    Cheers,



  • 5.  RE: SIP ALG

    Posted 08-02-2021 08:54
    Hi All,

    Our firewall was decrypting the SIP/RTP packet when we disabled ALG which was causing our issues. Once we made a policy to avoid decrypting any packets to our media Server audio started working.

    Thank you,
     Scott

    ------------------------------
    Scott WilliAMs
    Missouri Higher Education Loan Authority
    ------------------------------



  • 6.  RE: SIP ALG

    Posted 08-17-2021 13:56
    Scott,

    We experienced the same thing when wanting to disable SIP ALG on our SonicWall firewalls.  The main reason we need to do this, was we were seeing that when increasing SIP traffic, that the firewall CPUs would get too busy and in turn cause it to delay everything it was configured for.  It also appears that many recommendations are out there to disable SIP ALG on firewalls.   So, we were also told that an SBC was the way to go (but are not cheap).

    So, you found that the issue, once ALG disabled, that ensuring those packets were not attempted to be decrypted solved the issue? 

    As I understood, SIP ALG was needed to substitute private / public IPs in the app layer of the packets - in your solution do you think this is being done by a different device like a gateway, or is PureConnect somehow already managing this?

    I am intrigued to learn more about this, and how you have handled this.

    Thanks!

    ------------------------------
    Josh Zets
    Incept
    ------------------------------



  • 7.  RE: SIP ALG

    Posted 08-17-2021 14:24
    Hi Josh,

    So my situation sounds a little different than yours. Our VOIP traffic comes through SBC's , the issue we were having was for Agents who were connected via VPN.  When we disabled SIP ALG, the agents would no longer hear any audio, but the phone would connected, our security team started looking into it and noticed that the RTP packets were being labeled as unknown UDP packets. 

    We discovered that our Firewall was doing an inspection of SIP packets and for some reason when it decrypted the packet it wasn't able to route properly. I am not a security guy so i am not sure exactly way, but our security guys said he seen it before and put the SIP packets into a no decrypt policy.

    Thank you,
     Scott

    ------------------------------
    Scott WilliAMs
    Missouri Higher Education Loan Authority
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources