Friday, July 27, 2018

Close to ripping out a Palo Alto 220 and putting the old ASA 5505 back

This is a small remote office but their SIP phones have been down for over a week now after replacing the ASA with the Palo Alto.

I've spent hours on the phone with Palo Alto, Cisco TAC, and the provider but no solution. I'm pretty close to throwing in the towel at this point.

I'm pretty sure the problem is with Palo Alto's shitty SIP ALG. Our Cisco CME is behind the Palo with the Palo doing the NATting.

I've tried all the usual like doing an application override. Bi-directional NAT, ALG off and on etc and nothing works.

Where we are at the moment.

With ALG disabled:

  • Outbound calls working fine
  • Inbound calls fail as the SIP PRACK packet the provider sends is being sent to the Call Manager's internal/Pre-NAT address - so the packets never reach our firewall interface

With ALG enabled:

  • Outbound calls fail
  • Inbound calls fail - this time the SIP PRACK packets are hitting the Palo Alto - but for some reason the Palo is dropping them.

Anyone come across something similar before?



No comments:

Post a Comment