Voxalot / SIP Broker Support Forums

Voxalot / SIP Broker Support Forums (https://forum.sipbroker.com/index.php)
-   Voxalot Support (https://forum.sipbroker.com/forumdisplay.php?f=4)
-   -   Checkpoint Firewall and Voxalot (https://forum.sipbroker.com/showthread.php?t=4054)

LeonB 05-26-2009 02:12 PM

Checkpoint Firewall and Voxalot
 
Hello,

In residential and mobile situations working with Voxalot functionallity runs like a charm without any hassle!

In our business we're using Checkpoint FW 6.5 R2. and behind it Counterpath X-Lite V3 Softphones.
Unfortunatly we experience problems in getting Voip working for quite some time now.
Registering to Voxalot accounts works but takes about 30 seconds...
Calling from behind the FW to an external Voip account works but calling from outside the FW to an inside client fails. The internal Softphone doesn't respond to the call.
Calling to different clients (with their own Voxalot account) from behind the FW is impossible. There's no recognition at all.

Our Business partner has configured the checkpoint FW to enable all endpoints within the LAN to communicate UDP port 5060.
Next Checkpoint - Israel did indepth debugging with our partner to troubleshoot the problems.

They discovered that certain important SIP tags aren't filled with data:

"I investigated the debugs that we have took with my colleagues from the escalation team and we have found that a lot of the SIP fields are missing, and that is the reason that the firewall drop this traffic (not RFC).
At the kernel debug you can see that the firewall can not find the tag from the packet field:
sip_get_user_tag: couldn't find 'tag' in From field
fw_sip_manager: Error - sip_get_user_tag failed getting From tag
sip_earlynat_get_source_port: failed: no call_id/user"

Also our partner did some additional analysis on the debug data and came up with remarks about the "From" Line.
It should contain several parts, besides adressing, also a unique "Tag=" part should be available to make each call unique and trackable. Especially in a NAT and Checkpoint FW setup this seems to be very important.

In his opinion Voxalot doesn't use this tag with the NOTIFY messages but they do with the INVITE messages.

He refers to the need of correct implementation of RFC 3261 section 8.1.1.3 on all From: rules.

Does Voxalot Support recognize the above meantioned findings?
Has anyone found a proper solid working solution (or workaround) using Voxalot accounts behind Checkpoint Firewalls?

I very much would appreciate if Voxalot and/or somebody with experience could help me resolving this issue.

Many thanks in advance!

boatman 05-26-2009 08:51 PM

Quote:

Originally Posted by LeonB (Post 23293)
In his opinion Voxalot doesn't use this tag with the NOTIFY messages but they do with the INVITE messages.

I am not Voxalot support, but am curious about this issue.

Your incoming calls are signalled with an INVITE packet which has a proper "tag=" tag on the From line. NOTIFY packets from Voxalot do not have any "tag=" tag, however (as far as I know) the only NOTIFY packets Voxalot will send are to notify of new voice mail. A missing "tag=" in NOTIFY packets does not explain why you are not receiving calls.

I don't know much about the "sip_earlynat_get_source_port: failed: no call_id/user" problem, but you might find a solution here or here.


All times are GMT. The time now is 11:37 PM.

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.