Juniper Firewall mit ScreenOS 5.4: Probleme beim VoIP und SIP ALG

ScreenOS 5.4.0r26.0

Problem:

SIP funktioniert zwar, die NS204 läßt jedoch keine SIP Keep Alives durch. Nur die „ordentliche“ SIP Registrierung klappt.

Beachte auch http://www.krakovic.de/voip-und-sip-beispiel-einer-sip-session/
NS204_EF_1(M)-> get dbuf str
****** 07147.0: <Trust/ethernet1> packet received [32]******
ipid = 6786(1a82), @d780a110
ipsec decrypt engine released, auth check pass!
packet is decrypted
ipsec decrypt done
put packet(5883fbc) into flush queue.
packet passed sanity check.
ethernet1:10.136.172.201/5060->195.222.249.61/5060,17<Root>
existing session found. sess token 4
flow got session.
flow session id 126431
vsd 0 is active
  packet dropped, application error
        remove packet(5883fbc) out from flush queue.

Lösung:

ALG für SIP ausschalten!

Screen_2013.02.24__00308__032

Eine ausgehende Regel zum SIP Proxy mit einer DIP einrichten:

Screen_2013.02.24__00309__033

Screen_2013.02.24__00310__034

Dann eine Regel von Untrust zu Trust anlegen:

Screen_2013.02.24__00311__035

Beachte auch http://kb.juniper.net/InfoCenter/index?page=content&id=KB4872&pmv=print

Juniper bietet diese Lösung an:

SIP Application is not working. From the debugs, the SIP application is using non-standard ports.

By default, the SIP Application Layer Gateway (ALG) on the firewall expects the following standard ports:
pep-> get service SIP
Name:       SIP
Category:   other          ID:  0   Flag:  Pre-defined

Transport    Src port     Dst port   ICMPtype,code  Timeout(min|10sec*) Application
udp           0/65535    5060/5060                         1         SIP
tcp           0/65535    5060/5060                        30         SIP

In the ‚debug flow‘ output that was run during the SIP call attempt, the following was captured.
172.17.8.6/13ce, 13ce represents the port number in HEX, which translates to 5070:

**st: <Private|ethernet2/2.113|Root|71> 399c11c: 0:14.23.242.84/1350->172.17.8.6/13ce,17,384
****** 15099885.0: <Private-MT/ethernet2/2.113> packet received [384]******
  ipid = 0(0000), @0399c11c
  packet passed sanity check.
  flow packet already have session.
  flow session id 522781
  vsd 0 is active
  packet dropped, application error

This response packet for the SIP Invite was dropped with an application error.

Solution:

The solution is to configure the policy to customize the SIP ALG on the Juniper Firewall to recognize the non-standard SIP ports:

set service SIP-5070 protocol udp src-port 1-65535 dst-port 5070-5070
set policy id 200 from Trust to Untrust any any SIP-5070 permit
set policy id 200 application SIP    <----------------

The command „set policy application SIP“ along with „set policy from Trust to Untrust any any SIP-5070 permit“ effectively allows the firewall to recognize the port 5070 as part of SIP traffic and to handle it accordingly by the ALG.

In the WebUI, on the policy defined for the SIP traffic, click the Application pull-down and select SIP.