Solved

Netscreen Site-to-Site VPNs cant pass RTP traffic using Asterisk

Posted on 2009-07-07
10
3,339 Views
Last Modified: 2013-11-12
I have been banging my head against a wall here now for hours, I should have posted here sooner... This problem is wide-spread across all of our site-to-site VPNs but for the sake of simplifying the issue I will just speak of one segment of the VPN that experiences the problem. Once diagnosed I can apply the fix across all devices.

The issue:
SIP audio (RTP traffic) will not pass from phone to phone over a site-to-site VPN using Netscreen firewalls. RTP traffic WILL pass outside of the VPN and phone to phone system inside the VPN. The problem is specifically with two phones connected over a site-to-site-VPN.

Here is the kicker / symptom: If I call from my two test phones to each other, no audio passes (hence this problem) but as soon as I go and edit the VPN policy on Site B, make no changes and simply hit "Apply" audio starts working between the two phones!! I can rinse and repeat this exercise and every-time just editing the VPN policy and hitting apply makes the audio start working for the call in progress.

- RTP is UDP ports 30000 to 32000 in asterisk
- SIP is the standard 5060
- Netscreen SIP ALG is disabled

Topology:

Site A:
Netscreen-25 in transparent mode
Asterisk server with a public IP address passing through Netscreen-25

-- Policy-based site-to-site VPN between A and B --

Site B:
Netscreen-5
2 x Polycom IP-501 SIP phones each with different extensions.


Site A:
 
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "PCAnywhere" protocol tcp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "RDP" protocol tcp src-port 1-65535 dst-port 3389-3389 
set service "SSL E-Mail" protocol tcp src-port 1-65535 dst-port 993-993 
set service "SSL E-Mail" + tcp src-port 1-65535 dst-port 995-995 
set service "SSL E-Mail" + tcp src-port 1-65535 dst-port 465-465 
set service "SiteStudio" protocol tcp src-port 1-65535 dst-port 8080-8080 
set service "SiteStudio" + tcp src-port 1-65535 dst-port 8443-8443 
set service "Citrix-ICA" protocol tcp src-port 1-65535 dst-port 2598-2598 
set service "Citrix-ICA" + udp src-port 0-65535 dst-port 1604-1604 
set service "Belkin KVM" protocol tcp src-port 1-65535 dst-port 900-902 
set service "mySQL" protocol tcp src-port 1-65535 dst-port 3306-3306 
set service "IRCd" protocol tcp src-port 0-65535 dst-port 194-194 
set service "IRCd" + tcp src-port 0-65535 dst-port 6660-7000 
set service "IRCd" + tcp src-port 0-65535 dst-port 5555-5555 
set service "IRCd" + tcp src-port 0-65535 dst-port 8067-8067 
set service "IRCd" + tcp src-port 0-65535 dst-port 8001-8001 
set service "IRCd" + tcp src-port 0-65535 dst-port 51234-51234 
set service "TeamSpeak" protocol udp src-port 0-65535 dst-port 8760-8769 
set service "Shoutcast" protocol tcp src-port 0-65535 dst-port 8000-8000 
set service "Asterisk VoIP" protocol udp src-port 0-65535 dst-port 5060-5060 
set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 4569-4569 
set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 30000-32000 
set service "Asterisk VoIP" + tcp src-port 0-65535 dst-port 5060-5060 
set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 4500-4999 
set service "Asterisk VoIP" + udp src-port 30000-32000 dst-port 0-65535 
unset alg mgcp enable
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
unset alg sip enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg sql enable
unset alg rtsp enable
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Local" timeout 120
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp 
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin auth timeout 999
set admin auth server "Local"
set admin auth banner telnet login "Private access - Keep out! (Canton, GA)"
set admin auth banner console login "Private access - Keep out! (Canton, GA)"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen icmp-flood
set zone "V1-Untrust" screen udp-flood
set zone "V1-Untrust" screen winnuke
set zone "V1-Untrust" screen port-scan
set zone "V1-Untrust" screen ip-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "V1-Untrust" screen syn-frag
set zone "V1-Untrust" screen tcp-no-flag
set zone "V1-Untrust" screen unknown-protocol
set zone "V1-Untrust" screen ip-bad-option
set zone "V1-Untrust" screen ip-record-route
set zone "V1-Untrust" screen ip-timestamp-opt
set zone "V1-Untrust" screen ip-security-opt
set zone "V1-Untrust" screen ip-loose-src-route
set zone "V1-Untrust" screen ip-strict-src-route
set zone "V1-Untrust" screen ip-stream-opt
set zone "V1-Untrust" screen icmp-fragment
set zone "V1-Untrust" screen icmp-large
set zone "V1-Untrust" screen syn-fin
set zone "V1-Untrust" screen mal-url code-red
set zone "V1-Untrust" screen limit-session source-ip-based
set zone "V1-Untrust" screen syn-ack-ack-proxy
set zone "V1-Untrust" screen icmp-id
set zone "Untrust" screen ip-sweep threshold 30000
set zone "V1-Untrust" screen ip-sweep threshold 30000
set zone "Untrust" screen limit-session source-ip-based 100
set zone "V1-Untrust" screen limit-session source-ip-based 100
set zone "Untrust" screen limit-session destination-ip-based 100
set zone "V1-Untrust" screen limit-session destination-ip-based 100
set zone "Untrust" screen syn-ack-ack threshold 100
set zone "V1-Untrust" screen syn-ack-ack threshold 100
set zone "V1-Untrust" screen syn-flood drop-unknown-mac
set interface "ethernet1" zone "V1-Trust"
set interface "ethernet2" zone "V1-DMZ"
set interface "ethernet3" zone "V1-Untrust"
set interface "ethernet4" zone "V1-Untrust"
set interface vlan1 ip X.X.X.2/24
set interface vlan1 route
set interface ethernet1 bandwidth egress mbw 10000 ingress mbw 10000
set interface ethernet3 bandwidth egress mbw 10000 ingress mbw 10000
set interface ethernet4 bandwidth egress mbw 10000 ingress mbw 10000
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
unset interface vlan1 manage telnet
unset interface vlan1 manage ssl
set interface vlan1 manage mtrace
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage web
set interface "vlan1" webauth 
set interface "vlan1" webauth-ip X.X.X.4
set zone "V1-Trust" webauth
set zone "V1-Untrust" webauth
unset flow tcp-syn-check
set flow aging low-watermark 70
set flow aging high-watermark 80
set domain AcmeComphosting.net
set hostname firewall1-ga
set webauth banner success "WebAuth Success - don't mess anything up!!!"
set pki authority default cert-status revocation-check none
set pki authority default cert-status ocsp cert-verify hash "0Exxxxxxxxxxxxxx"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 12.127.17.71
set dns host dns2 166.102.165.13
set dns host schedule 00:00
set address Trust "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0
set address Untrust "AcmeComp-TX-LAN" x.x.x.0 255.255.255.0
set address Untrust "DCPC-GA-LAN" 192.168.5.0 255.255.255.0
set address Untrust "Acme-GA-LAN" 192.168.0.0 255.255.255.0
set address Untrust "Acme-NJ-LAN" 192.168.1.0 255.255.255.0
set address V1-Trust "Cassie" X.X.X.48 255.255.255.255
set address V1-Trust "Cody" X.X.X.37 255.255.255.255
set address V1-Trust "AcmeComp-Gold-GA-LAN" X.X.X.0 255.255.255.0
set address V1-Trust "AcmeComp-Silver-GA-LAN" X.X.X.184 255.255.255.248
set address V1-Trust "DCI-Asterisk" X.X.X.52 255.255.255.255
set address V1-Trust "DCPC - Area" X.X.X.49 255.255.255.255
set address V1-Trust "DCPC - Citrix" X.X.X.50 255.255.255.255
set address V1-Trust "DRAC1" X.X.X.21 255.255.255.255
set address V1-Trust "Acme - VOIP2" X.X.X.51 255.255.255.255
set address V1-Trust "KVM1" X.X.X.3 255.255.255.255
set address V1-Trust "Leah" X.X.X.24 255.255.255.255
set address V1-Trust "Leah - CP" X.X.X.22 255.255.255.255
set address V1-Trust "Leah - NS" X.X.X.23 255.255.255.255
set address V1-Trust "Mia" X.X.X.25 255.255.255.255
set address V1-Trust "Mia - NS2" X.X.X.26 255.255.255.255
set address V1-Trust "temere2" X.X.X.186 255.255.255.255
set address V1-Trust "temere2-Linux" X.X.X.187 255.255.255.255
set address V1-Trust "VMWare1" X.X.X.20 255.255.255.255
set address V1-Untrust "CB-GA-LAN" 10.11.0.0 255.255.255.0
set address V1-Untrust "Acme-NJ-LAN" 192.168.1.0 255.255.255.0
set address V1-Untrust "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0
set address V1-Untrust "ScottM-AZ-LAN" 192.168.3.0 255.255.255.0
set user "fsmith" uid 2
set user "fsmith" type  auth
set user "fsmith" hash-password "="
set user "fsmith" "enable"
set user "pciccone" uid 1
set user "pciccone" ike-id fqdn "pciccone" share-limit 1
set user "pciccone" type  auth ike
set user "pciccone" password "=="
set user "pciccone" "enable"
set user-group "VPN Access" id 1
set user-group "VPN Access" user "pciccone"
set ike gateway "pciccone-GA-GW" address 0.0.0.0 id "pciccone.dyndns.org" Aggr local-id "pciccone.dyndns.org" outgoing-zone "V1-Untrust" preshare "==" sec-level standard
unset ike gateway "pciccone-GA-GW" nat-traversal
set ike gateway "Dialup VPN" dialup "VPN Access" Aggr outgoing-zone "V1-Untrust" preshare "==" sec-level standard
set ike gateway "Dialup VPN" nat-traversal udp-checksum
set ike gateway "Dialup VPN" nat-traversal keepalive-frequency 5
set ike gateway "CB-VPN-GW" address home.custombytes.biz Main outgoing-zone "V1-Untrust" preshare "==" proposal "pre-g2-aes128-sha"
set ike gateway "Acme-NJ-GW" address vpn.Acme-industries.com Main outgoing-zone "V1-Untrust" preshare "==" sec-level standard
set ike gateway "ScottM-AZ-GW" address scottmoore.dyndns.org Main outgoing-zone "V1-Untrust" preshare "==" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "pciccone-GA-VPN" gateway "pciccone-GA-GW" replay tunnel idletime 0 sec-level standard
set vpn "pciccone-GA-VPN" monitor optimized rekey
set vpn "Dialup VPN" gateway "Dialup VPN" replay tunnel idletime 0 sec-level standard
set vpn "CB-GA-VPN" gateway "CB-VPN-GW" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "Acme-NJ-VPN" gateway "Acme-NJ-GW" no-replay tunnel idletime 0 sec-level standard
set vpn "Acme-NJ-VPN" monitor
set vpn "ScottM-AZ-VPN" gateway "ScottM-AZ-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set attack db server "https://services.netscreen.com/restricted/sigupdates/server"
set attack db schedule daily 00:00
set url fail-mode permit
set url protocol sc-cpa
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 36 from "V1-Untrust" to "V1-Trust"  "ScottM-AZ-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "ScottM-AZ-VPN" id 16 pair-policy 37 
set policy id 36
exit
set policy id 34 from "V1-Untrust" to "V1-Trust"  "Acme-NJ-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 14 pair-policy 33 
set policy id 34
exit
set policy id 37 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "ScottM-AZ-LAN" "ANY" tunnel vpn "ScottM-AZ-VPN" id 16 pair-policy 36 
set policy id 37
exit
set policy id 33 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Acme-NJ-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 14 pair-policy 34 
set policy id 33
exit
set policy id 23 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "CB-GA-LAN" "ANY" tunnel vpn "CB-GA-VPN" id 9 pair-policy 24 
set policy id 23 disable
set policy id 23
exit
set policy id 24 from "V1-Untrust" to "V1-Trust"  "CB-GA-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "CB-GA-VPN" id 9 pair-policy 23 
set policy id 24 disable
set policy id 24
exit
set policy id 3 from "V1-Untrust" to "V1-Trust"  "PCICCONE-GA-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "pciccone-GA-VPN" id 1 pair-policy 2 
set policy id 3
exit
set policy id 14 from "V1-Untrust" to "V1-Trust"  "Dial-Up VPN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "Dialup VPN" id 3 pair-policy 13 
set policy id 14
exit
set policy id 2 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "PCICCONE-GA-LAN" "ANY" tunnel vpn "pciccone-GA-VPN" id 1 pair-policy 3 
set policy id 2
exit
set policy id 13 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Dial-Up VPN" "ANY" tunnel vpn "Dialup VPN" id 3 pair-policy 14 
set policy id 13
exit
set policy id 1 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Any" "ANY" permit 
set policy id 1
set src-address "AcmeComp-Silver-GA-LAN"
exit
set policy id 22 from "V1-Untrust" to "V1-Trust"  "Any" "AcmeComp-Gold-GA-LAN" "HTTP" permit 
set policy id 22
set dst-address "AcmeComp-Silver-GA-LAN"
set service "HTTPS"
exit
set policy id 5 from "V1-Untrust" to "V1-Trust"  "Any" "Leah" "IMAP" permit 
set policy id 5
set service "POP3"
set service "SiteStudio"
set service "SMTP"
set service "SSL E-Mail"
exit
set policy id 6 from "V1-Untrust" to "V1-Trust"  "Any" "Leah - NS" "DNS" permit 
set policy id 6
exit
set policy id 7 from "V1-Untrust" to "V1-Trust"  "Any" "Mia" "FTP" permit 
set policy id 7
set service "mySQL"
exit
set policy id 8 from "V1-Untrust" to "V1-Trust"  "Any" "Mia - NS2" "DNS" permit 
set policy id 8
exit
set policy id 9 from "V1-Untrust" to "V1-Trust"  "Any" "Cody" "FTP" permit 
set policy id 9
set service "MS-SQL"
exit
set policy id 35 from "V1-Untrust" to "V1-Trust"  "Any" "Acme - VOIP2" "Asterisk VoIP" permit log 
set policy id 35 application "SIP"
set policy id 35
exit
set policy id 27 from "V1-Untrust" to "V1-Trust"  "Any" "Acme - VOIP2" "FTP" permit 
set policy id 27 application "FTP"
set policy id 27
exit
set policy id 17 from "V1-Untrust" to "V1-Trust"  "Any" "DCPC - Area" "Citrix-ICA" permit 
set policy id 17
set dst-address "DCPC - Citrix"
exit
set policy id 32 from "V1-Untrust" to "V1-Trust"  "Any" "temere2-Linux" "FTP" permit 
set policy id 32
set service "HTTP"
set service "HTTPS"
set service "IRCd"
set service "mySQL"
set service "PING"
set service "Shoutcast"
set service "SSH"
set service "TeamSpeak"
exit
set policy id 12 from "V1-Untrust" to "V1-Trust"  "Any" "AcmeComp-Gold-GA-LAN" "ANY" permit webauth log 
set policy id 12
set dst-address "AcmeComp-Silver-GA-LAN"
set log session-init
exit
set policy id 19 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" deny log 
set policy id 19
exit
unset log module system level information destination internal
unset log module system level debugging destination internal
unset log module system level emergency destination email
unset log module system level alert destination email
unset log module system level critical destination email
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
unset log module system level emergency destination pcmcia
unset log module system level alert destination pcmcia
unset log module system level critical destination pcmcia
unset log module system level error destination pcmcia
unset log module system level warning destination pcmcia
unset log module system level notification destination pcmcia
unset log module system level information destination pcmcia
unset log module system level debugging destination pcmcia
set nsmgmt bulkcli reboot-timeout 60
set ssh version v1
set ssh enable
set config lock timeout 5
set ntp server "192.5.41.41"
set ntp server src-interface "ethernet3"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 300
set snmp community "public" Read-Only Trap-on  version any
set snmp host "public" X.X.X.0 255.255.255.0 src-interface vlan1 
set snmp location "Atlanta, GA"
set snmp contact "Systems Administrator"
set snmp name "firewall1-ga"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface vlan1 gateway X.X.X.1 preference 20 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
 
-----------------------------------------------------------------------------------------
 
Site B:
 
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "PCAnywhere" protocol tcp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 
set service "IP Cameras" protocol tcp src-port 1-65535 dst-port 8000-8010 
set service "RDP" protocol tcp src-port 1-65535 dst-port 3389-3389 
set service "LocationFree" protocol tcp src-port 1-65535 dst-port 5021-5021 
set service "SageTV" protocol tcp src-port 1-65535 dst-port 31099-31099 
set service "Asterisk RTP" protocol udp src-port 1-65535 dst-port 30000-32000 
set service "T-Mobile @Home" protocol udp src-port 1-65535 dst-port 500-500 
set service "T-Mobile @Home" + udp src-port 1-65535 dst-port 4500-4500 
set service "Mi Casa Verde" protocol tcp src-port 1-65535 dst-port 8080-8080 
set service "Air Media" protocol tcp src-port 1-65535 dst-port 45631-45631 
set service "Air Media" + udp src-port 1-65535 dst-port 45631-45631 
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Local" timeout 60
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp 
set auth default auth server "Local"
set auth banner telnet login "Private access - Keep out! (Canton, GA)"
set auth banner ftp login "220 Private access - Keep out! (Canton, GA)"
set auth banner http login "Private access - Keep out! (Canton, GA)"
set admin name "netscreen"
set admin password "xxxx"
set admin auth timeout 999
set admin auth server "Local"
set admin auth banner telnet login "Private access - Keep out! (Canton, GA)"
set admin auth banner console login "Private access - Keep out! (Canton, GA)"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
set zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
unset zone "V1-Untrust" screen tear-drop
unset zone "V1-Untrust" screen syn-flood
unset zone "V1-Untrust" screen ping-death
unset zone "V1-Untrust" screen ip-filter-src
unset zone "V1-Untrust" screen land
set zone "Untrust" screen ip-sweep threshold 30000
set zone "V1-Untrust" screen ip-sweep threshold 30000
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.1.1.1/24
set interface trust nat
set interface untrust ip x.x.x.x/21
set interface untrust route
set interface trust bandwidth 10000
set interface untrust bandwidth 6000
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 8000 "HTTP" 10.1.1.110
set interface untrust vip untrust 8001 "HTTP" 10.1.1.111
set interface untrust vip untrust 31099 "SageTV" 10.1.1.99
set interface untrust vip untrust 8002 "HTTP" 10.1.1.112
set interface untrust vip untrust 3389 "RDP" 10.1.1.99
set interface untrust vip untrust 5021 "LocationFree" 10.1.1.100
set interface untrust vip untrust 8080 "HTTP" 10.1.1.97
set interface untrust vip untrust 45631 "Air Media" 10.1.1.99
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option lease 1440 
set interface trust dhcp server option gateway 10.1.1.1 
set interface trust dhcp server option netmask 255.255.255.0 
set interface trust dhcp server option domainname hsd1.ga.comcast.net. 
set interface trust dhcp server option dns1 68.87.68.166 
set interface trust dhcp server option dns2 68.87.74.166 
set interface trust dhcp server ip 10.1.1.10 to 10.1.1.90 
set interface untrust dhcp-client enable
set flow tcp-mss 1392
set dns host schedule 00:00
set address "Trust" "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0
set address "Untrust" "CyberWEB-GA-LAN" x.x.x.0 255.255.255.0
set address "Untrust" "CyberWEB-TX-LAN" x.x.x.0 255.255.255.0
set address "Untrust" "DCPC-GA-LAN" 192.168.5.0 255.255.255.0
set address "Untrust" "Acme-GA-LAN" 192.168.0.0 255.255.255.0
set address "Untrust" "Acme-GA2-LAN" 192.168.6.0 255.255.255.0
set address "Untrust" "Acme-NJ-LAN" 192.168.1.0 255.255.255.0
set ike gateway "Acme-NJ-GW" address vpn.Acme-industries.com Main outgoing-interface "untrust" preshare "=" sec-level standard
set ike gateway "DCPC-GA-GW" address vpn.dcpc.biz Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "=" sec-level standard
set ike gateway "Acme-GA-GW" address firewall1-ga.Acme-industries.com Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "==" sec-level standard
set ike gateway "CyberWEB-GA-VPN" address x.x.x.2 Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "=" sec-level standard
set ike respond-bad-spi 1
set vpn "Acme-NJ-VPN" gateway "Acme-NJ-GW" no-replay tunnel idletime 0 sec-level standard
set vpn "DCPC-GA-VPN" gateway "DCPC-GA-GW" no-replay tunnel idletime 0 sec-level standard
set vpn "Acme-GA-VPN" gateway "Acme-GA-GW" no-replay tunnel idletime 0 sec-level standard
set vpn "CyberWEB-GA-VPN" gateway "CyberWEB-GA-VPN" no-replay tunnel idletime 0 sec-level standard
set arp x.x.x.x 00018194c002 "untrust"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 26 from "Untrust" to "Trust"  "CyberWEB-GA-LAN" "PCICCONE-GA-LAN" "ANY" nat src tunnel vpn "CyberWEB-GA-VPN" id 38 pair-policy 25 
set policy id 25 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "CyberWEB-GA-LAN" "ANY" tunnel vpn "CyberWEB-GA-VPN" id 38 pair-policy 26 
set policy id 8 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "Acme-GA-LAN" "ANY" tunnel vpn "Acme-GA-VPN" id 19 
set policy id 5 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "Acme-NJ-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 20 
set policy id 20 from "Trust" to "Untrust"  "Any" "Any" "SIP" permit traffic gbw 0 priority 0 
set policy id 20 application "SIP"
set policy id 21 from "Trust" to "Untrust"  "Any" "Any" "Asterisk RTP" permit traffic gbw 0 priority 0 
set policy id 22 from "Trust" to "Untrust"  "Any" "Any" "T-Mobile @Home" permit traffic gbw 0 priority 0 
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit traffic gbw 0 priority 6 
set policy id 11 from "Untrust" to "Trust"  "Any" "VIP::1" "IP Cameras" permit 
set policy id 12 from "Untrust" to "Trust"  "Any" "VIP::1" "LocationFree" permit 
set policy id 13 from "Untrust" to "Trust"  "Any" "VIP::1" "RDP" permit 
set policy id 14 from "Untrust" to "Trust"  "Any" "VIP::1" "SageTV" permit 
set policy id 24 from "Untrust" to "Trust"  "Any" "VIP::1" "Air Media" permit 
set policy id 23 from "Untrust" to "Trust"  "Any" "VIP::1" "Mi Casa Verde" permit 
set pppoe name "untrust"
set pppoe name "untrust" username "xxx@windstream.net" password "=="
set pppoe name "untrust" idle 0
unset pppoe name "untrust" update-dhcpserver
set pppoe name "untrust" auto-connect 1
set ssh version v2
set ssh enable
set config lock timeout 5
set url fail-mode permit
set ntp server "192.5.41.41"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 300
set snmp community "public" Read-Only Trap-on  version any
set snmp host "public" x.x.x.0 255.255.255.0 
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Open in new window

0
Comment
Question by:philciccone
  • 6
  • 4
10 Comments
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24796267
Any logs to show the dropped raffic at all?

Also I see SIP info int eh config above, but the sip alg is unset.

Have you tried the set sip alg enable

Normally, when we see RTP not passing firewalls, its due to the SIP alg either not being applied or not working properly.  As the SIP portion of the call negotiates the RTP portion, unless the firewall is told what RTP ports are used for the call, it will normally drop the RTP portion after the call set up.

Not sure how the calls work fine without the VPN, but I would give the sip alg a go first here.

Have you ever run "debug flow basic"?  If so, I can provide a we bit more info on the next step which will be to trace the packet as it goes through the firewalls.
0
 

Author Comment

by:philciccone
ID: 24796699
I have found that ALG should be disabled for any attempt at getting SIP to work at all, the VPN is policy based so its not filtering ports, for the hell of it I did enable SIP ALG just to see what happens, no change. Moving on to the debug, I have started with debug flow drop to see if I can get something quicker, and I did but I don't know how to interpret the error "pak has inconsistent tunnel (40000026,ffffffff)". I Google'd the error and in just the few returned results someone else has the exact same problem I have (with no answer), so this has to be related to the issue?

Also keep in mind that if I edit the VPN policy and just re-save it via the GUI audio starts to pass on the call in progress, this has to be a hint to where my mistakes are?

****** 68031.0: <Trust/trust> packet received [60]******
  ipid = 32668(7f9c), @000ba04e
  packet passed sanity check.
  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 306
--- more --- 
  post addr xlation: 10.1.1.27->x.x.x.51.
  going into tunnel 40000026.
  flow_encrypt: vector=6765cc.
chip info: PIO. Tunnel id 00000026
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
  out encryption tunnel 40000026 gw:76.97.24.1
  no more encapping needed.
  packet send out to 00015c242501 through untrust
****** 68031.0: 
  packet passed sanity check.
  trust:10.1.1.17/2250->x.x.x.51/30878,17<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 1107
68031.0:   pak has inconsistent tunnel (40000026,ffffffff)
 
 
v**** 68904.0: <Trust/trust> packet received [60]******
  ipid = 54654(d57e), @000b204e
  packet passed sanity check.
  trust:10.1.1.17/2250->x.x.x.51/30878,17<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 1107
68904.0:   pak has inconsistent tunnel (40000026,ffffffff)
****** 68904.0: <Untrust/untrust> packet received [112]******
  ipid = 23881(5d49), @000c904e
  packet passed sanity check.
  untrust:x.x.x.2/3446->76.97.31.8/26226,50<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 233
  flow_decrypt: vector=673b8c.
  Dec: SPI=0d766672, Data=112
  SA tunnel id=0x00000026, flag<00002063>
chip info: PIO. Tunnel id 00000026
ipsec decrypt prepare done
ipsec decrypt set engine done
ipsec decrypt engine released, auth check pass!
--- more --- 
, Data=128
  SA tunnel id=0x00000026, flag<00002063>
chip info: PIO. Tunnel id 00000026
ipsec decrypt prepare done
ipsec decrypt set engine done
ipsec decrypt engine released, auth check pass!
  packet is decrypted
ipsec decrypt done
  untrust:x.x.x.51/30777->10.1.1.27/2253,17<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 703
  post addr xlation: x.x.x.51->10.1.1.27.
  no more encapping needed.
  packet send out to 0004f2036c92 (cached) through trust
****** 68928.0: <Untrust/untrust> packet received [144]******
  ipid = 25127(6227), @000d004e
  packet passed sanity check.
  untrust:x.x.x.2/3446->76.97.31.8/26226,50<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 233
--- more --- 
e3ea), @000b604e
  packet passed sanity check.
  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 306
  post addr xlation: 10.1.1.27->x.x.x.51.
  going into tunnel 40000026.
  flow_encrypt: vector=6765cc.
chip info: PIO. Tunnel id 00000026
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
  out encryption tunnel 40000026 gw:76.97.24.1
  no more encapping needed.
  packet send out to 00015c242501 through untrust

Open in new window

0
 

Author Comment

by:philciccone
ID: 24796797
Attached here is Site-A to Site-B with an ffilter set on src-ip and dst-IP of the Asterisk box.
****** 611575.0: <V1-Trust/ethernet1> packet received [60]******
  ipid = 0(0000), @c7d05110
  packet passed sanity check.
  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>
found mac 001121aa1c80 on ethernet3
  flow packet already have session.
  flow session id 31570
  skip ttl adjust for packet from self.
 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 
  going into tunnel 40000001.
  flow_encrypt: enc vector=ba181c.
chip info: PIO. Tunnel id 00000001
=64          
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
  out encryption tunnel 40000001 gw:x.x.x.1
  no more encapping needed
****** 611589.0: <V1-Trust/ethernet1> packet received [60]******
  ipid = 0(0000), @c7d1d910
  packet passed sanity check.
  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>
found mac 001121aa1c80 on ethernet3
  flow packet already have session.
  flow session id 31570
  skip ttl adjust for packet from self.
 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 
  going into tunnel 40000001.
  flow_encrypt: enc vector=ba181c.
chip info: PIO. Tunnel id 00000001
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
1aa1c80 on ethernet3
ypt set engine done
ipsec encrypt engine released
ipsec encrypt done
  out encryption tunnel 40000001 gw:x.x.x.1
  no more encapping needed
****** 611635.0: <V1-Trust/ethernet1> packet received [60]******
  ipid = 0(0000), @c7d17910
  packet passed sanity check.
  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>
found mac 001121aa1c80 on ethernet3
  flow packet already have session.
  flow session id 31570
  skip ttl adjust for packet from self.
 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 
  going into tunnel 40000001.
  flow_encrypt: enc vector=ba181c.
chip info: PIO. Tunnel id 00000001
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
eeded        
****** 611649.0: <V1-Trust/ethernet1> packet received [60]******
  ipid = 0(0000), @c7d11110
  packet passed sanity check.
  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>
found mac 001121aa1c80 on ethernet3
  flow packet already have session.
  flow session id 31570
  skip ttl adjust for packet from self.
 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 
  going into tunnel 40000001.
  flow_encrypt: enc vector=ba181c.
chip info: PIO. Tunnel id 00000001
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
  out encryption tunnel 40000001 gw:x.x.x.1
  no more encapping needed
*

Open in new window

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:philciccone
ID: 24796959
On Site B I decided to open/save the policy via the web to make the audio start working, I have attached below the debug flow basic of the audio flowing properly, it looks allot different! :)
****** 70387.0: <Trust/trust> packet received [60]******
  ipid = 7154(1bf2), @000b384e
--- more --- 
 3
  flow got session.
  flow session id 259
  flow_decrypt: vector=673b8c.
  Dec: SPI=0d766677, Data=112
  SA tunnel id=0x00000029,ng queue.
  flow ip send net: gw = 10.1.1.17
0029
ipsec decrypt prepare done
ipsec decrypt set engine dipid = 8404(20d4), @000a004e
  packet passed sanity check.
  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 1588
  post addr xlation: 10.1.1.27->x.x.x.51.
  going into tunnel 40000029.
  flow_encrypt: vector=6765cc.
chip info: PIO. Tunnel id 00000029
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
--- more --- 
rust:x.x.x.51/30776->10.1.1.27/2252,17<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 1588
  post addr xlation: x.x.x.51->10.1.1.27.
  no more encapping needed.
  send packet to traffic shaping queue.
  flow ip send net: gw = 10.1.1.17
  flow ip send net: gw = 10.1.1.27
  flow ip send net: gw = 76.97.24.1
  flow ip send net: gw = 76.97.24.1
****** 70403.0: <Untrust/untrust> packet received [1420]******
  ipid = 23356(5b3c), @000da04e
  packet passed sanity check.
  untrust:165.193.54.21/12150->76.97.31.8/2864,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 1654
  po encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
--- more --- 
 released
ipsec encrypt done
  out encryption tunnel 40000029 gw:76.97.24.1
  no more encapping needed.
  send packet to traffic shaping queue.

Open in new window

0
 
LVL 18

Expert Comment

by:deimark
ID: 24797231
That does seem a bit odd here.

Can I assume that the asterisk box is on 10.1.1.17?

Also, how are your sessions listed here?>  Are we maybe maxing out some counters?  I only say that as the logs we have here show a lot of the packets coming is being detected as having an existing session and being forwarded accordingly.

Can you have a look at the bottom line of get session to see what you have there.  Also double check the licensing and hardware limits for the sessions, run "get license-key" to confirm this.

What makes it more confusing, that a simple save of an existing vpn is enough to effect a renegotiation and all is good.

Can you let us see the output og get ike cookie and get sa active?
0
 

Accepted Solution

by:
philciccone earned 0 total points
ID: 24797453
I found the issue, with some hints you gave me....

Turns out the SIP ALG option exists, but is hidden on the Netscreen-5's - its only available via the command line not the web interface. I "unset sip alg" on the netscreen-5 and it fixed the problem.  I did not put it together that ALG exists on the 5's but only via the command line to turn it off.

As for why the audio started working on the policy reset, my guess is that ALG is reset when you save a policy, i.e. the "SIP state is lost" on the application layer I guess.

Very happy I am! :)
0
 
LVL 18

Expert Comment

by:deimark
ID: 24797491
Hehe, nice find.

BTW, the ns5s will also run up to the latest version of screenos, so if you wanted everything as visible as you can, upgrade to 6.x on all.  (preferably 6.2 IMO)
0
 

Author Comment

by:philciccone
ID: 24797593
I should do that on all my firewalls, but sadly I don't have access to the latest firmware on any of them. :(
0
 
LVL 18

Expert Comment

by:deimark
ID: 24799002
Note, that you can also export the firmware from one firewall to another, with the usual caveat that it needs to be the same model.

Some folk buy a firewall form ebay for example, which happens to have a later version installed form the other firewalls, so you can save the software to tftp and then re import on other units.

Its not a great way to work, especially with the likes of a good enterprise product like juniper, bit some do tend to use this as cheap way of managing a firewall base.

DM
0
 

Author Comment

by:philciccone
ID: 24799215
Appreciate the tip, if the oppertunity arises I will. -- Phil
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question