Hi team,
I have been having an issue that none of my team or even Palo alto support was able to find a solution for, it is truly a strange behavior that non of us was able to explain and it is currently affecting one of our big clients.
Palo alto firewall in a remote branch has a Cisco VCUBE box. Every time you make a call to the branch number, SIP traffic is passed correctly as per the NAT and security rules and you can see packet captures and traffic log showing you everything is perfectly fine and allowed, however, you see discards for Request INVITE and Status 200 messages that can only be see in the packet capture, yes, show session id will not show any discards for these sessions. There is one thing I noticed that I need your confirmation on, something that is very simple, is it normal for SIP traffic to contain a message body like this assuming the SIP proxy is A.B.C.D
SIP Packet : Src: A.B.C.D Dst. X.Y.Z.A
Message Body
Owner/Creator : IPv4 A.B.C.D
Connection Information: IPv4 A.B.C.X << Yes a different IP
Connection Address: A.B.C.X << Yes a different IP
The reason I am asking as I am seeing Palo alto showing in the traffic log two sessions being created as follows
Session 1: VCUBE > A.B.C.D (The IP in the wireshark)
Session 2: VCUBE > A.B.C.X (The IP in the SIP message body)
that can be seen even though I only made a call from SIP proxy A.B.C.D only
The only thing that I am trying to prove to the client is that the firewall is not the issue but not sure if SIP configuration this way might be where we have the issue .
Thank you in advance for all your help.
No comments:
Post a Comment