View Single Post
Unread 05-26-2009, 02:12 PM   #1
LeonB
Junior Member
 
Join Date: Jan 2009
Location: The Netherlands
Posts: 20
Thanks: 1
Thanked 1 Times in 1 Posts
LeonB is on a distinguished road
Send a message via Skype™ to LeonB
Unhappy Checkpoint Firewall and Voxalot

Hello,

In residential and mobile situations working with Voxalot functionallity runs like a charm without any hassle!

In our business we're using Checkpoint FW 6.5 R2. and behind it Counterpath X-Lite V3 Softphones.
Unfortunatly we experience problems in getting Voip working for quite some time now.
Registering to Voxalot accounts works but takes about 30 seconds...
Calling from behind the FW to an external Voip account works but calling from outside the FW to an inside client fails. The internal Softphone doesn't respond to the call.
Calling to different clients (with their own Voxalot account) from behind the FW is impossible. There's no recognition at all.

Our Business partner has configured the checkpoint FW to enable all endpoints within the LAN to communicate UDP port 5060.
Next Checkpoint - Israel did indepth debugging with our partner to troubleshoot the problems.

They discovered that certain important SIP tags aren't filled with data:

"I investigated the debugs that we have took with my colleagues from the escalation team and we have found that a lot of the SIP fields are missing, and that is the reason that the firewall drop this traffic (not RFC).
At the kernel debug you can see that the firewall can not find the tag from the packet field:
sip_get_user_tag: couldn't find 'tag' in From field
fw_sip_manager: Error - sip_get_user_tag failed getting From tag
sip_earlynat_get_source_port: failed: no call_id/user"

Also our partner did some additional analysis on the debug data and came up with remarks about the "From" Line.
It should contain several parts, besides adressing, also a unique "Tag=" part should be available to make each call unique and trackable. Especially in a NAT and Checkpoint FW setup this seems to be very important.

In his opinion Voxalot doesn't use this tag with the NOTIFY messages but they do with the INVITE messages.

He refers to the need of correct implementation of RFC 3261 section 8.1.1.3 on all From: rules.

Does Voxalot Support recognize the above meantioned findings?
Has anyone found a proper solid working solution (or workaround) using Voxalot accounts behind Checkpoint Firewalls?

I very much would appreciate if Voxalot and/or somebody with experience could help me resolving this issue.

Many thanks in advance!
LeonB is offline   Reply With Quote