Tuesday, December 19, 2017

SIP. Why are you the way you are?

OK, it's a long shot posting this here, but I'll take what I can get at this point.

We're setting up a Cisco VCSe deployment that's running through a Palo Alto firewall.

There are two DMZ zones involved, and the basic flow is:

VCS (inside) > (VCSe (inside-DMZ) <-> VCSe (outside-DMZ)) > outside

The VCSe (inside-DMZ) and VCSe (outside-DMZ) interfaces live on the same host, so there's no traffic rules or inspection happening there, but the IPs live on different VLANs in different security zones.

There's a NAT for the outside public IP mapped to the VCSe (outside-DMZ) private IP, it's bidirectional.

There's an application override for SIP traffic to and from the VCSe (outside-DMZ) IP that stops layer 7 inspection on SIP.

The security rules have been totally bypassed for testing for some trusted public IPs. The firewall is basically a router at this point.

STILL! SIP calls fail. TCP handshake failure. Client hello goes out, server hello comes in, and then there's a bunch of retransimissions like the server hello didn't get acknowledged.

We're seeing what Palo Alto support is calling asynchronous traffic issues. VCS team says it's the firewall, firewall support says it's async routing somewhere. ISP says they don't mess with SIP. Would it matter if traffic was coming in on one ISP link and exiting another? I don't know that's happening, but it's been speculated that it could be.

I'm not sure what I think just yet. Anyone set one of these up with Palo Altos? Run into any bizarre trouble? Any thoughts?

I know there's probably not enough info to go off of, if you have any questions or suggestions, I'll be happy to respond and discuss.

Thanks for reading!



No comments:

Post a Comment