Solved

Netscreen Site-to-Site VPNs cant pass RTP traffic using Asterisk

Posted on 2009-07-07
10
3,314 Views
Last Modified: 2013-11-12
I have been banging my head against a wall here now for hours, I should have posted here sooner... This problem is wide-spread across all of our site-to-site VPNs but for the sake of simplifying the issue I will just speak of one segment of the VPN that experiences the problem. Once diagnosed I can apply the fix across all devices.

The issue:
SIP audio (RTP traffic) will not pass from phone to phone over a site-to-site VPN using Netscreen firewalls. RTP traffic WILL pass outside of the VPN and phone to phone system inside the VPN. The problem is specifically with two phones connected over a site-to-site-VPN.

Here is the kicker / symptom: If I call from my two test phones to each other, no audio passes (hence this problem) but as soon as I go and edit the VPN policy on Site B, make no changes and simply hit "Apply" audio starts working between the two phones!! I can rinse and repeat this exercise and every-time just editing the VPN policy and hitting apply makes the audio start working for the call in progress.

- RTP is UDP ports 30000 to 32000 in asterisk
- SIP is the standard 5060
- Netscreen SIP ALG is disabled

Topology:

Site A:
Netscreen-25 in transparent mode
Asterisk server with a public IP address passing through Netscreen-25

-- Policy-based site-to-site VPN between A and B --

Site B:
Netscreen-5
2 x Polycom IP-501 SIP phones each with different extensions.


Site A:
 

set clock ntp

set clock timezone -5

set vrouter trust-vr sharable

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset auto-route-export

exit

set service "PCAnywhere" protocol tcp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "RDP" protocol tcp src-port 1-65535 dst-port 3389-3389 

set service "SSL E-Mail" protocol tcp src-port 1-65535 dst-port 993-993 

set service "SSL E-Mail" + tcp src-port 1-65535 dst-port 995-995 

set service "SSL E-Mail" + tcp src-port 1-65535 dst-port 465-465 

set service "SiteStudio" protocol tcp src-port 1-65535 dst-port 8080-8080 

set service "SiteStudio" + tcp src-port 1-65535 dst-port 8443-8443 

set service "Citrix-ICA" protocol tcp src-port 1-65535 dst-port 2598-2598 

set service "Citrix-ICA" + udp src-port 0-65535 dst-port 1604-1604 

set service "Belkin KVM" protocol tcp src-port 1-65535 dst-port 900-902 

set service "mySQL" protocol tcp src-port 1-65535 dst-port 3306-3306 

set service "IRCd" protocol tcp src-port 0-65535 dst-port 194-194 

set service "IRCd" + tcp src-port 0-65535 dst-port 6660-7000 

set service "IRCd" + tcp src-port 0-65535 dst-port 5555-5555 

set service "IRCd" + tcp src-port 0-65535 dst-port 8067-8067 

set service "IRCd" + tcp src-port 0-65535 dst-port 8001-8001 

set service "IRCd" + tcp src-port 0-65535 dst-port 51234-51234 

set service "TeamSpeak" protocol udp src-port 0-65535 dst-port 8760-8769 

set service "Shoutcast" protocol tcp src-port 0-65535 dst-port 8000-8000 

set service "Asterisk VoIP" protocol udp src-port 0-65535 dst-port 5060-5060 

set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 4569-4569 

set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 30000-32000 

set service "Asterisk VoIP" + tcp src-port 0-65535 dst-port 5060-5060 

set service "Asterisk VoIP" + udp src-port 0-65535 dst-port 4500-4999 

set service "Asterisk VoIP" + udp src-port 30000-32000 dst-port 0-65535 

unset alg mgcp enable

set alg sip app-screen unknown-message route permit

set alg sip app-screen unknown-message nat permit

unset alg sip enable

unset alg sunrpc enable

unset alg msrpc enable

unset alg sql enable

unset alg rtsp enable

unset alg h323 enable

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "Local" timeout 120

set auth-server "DefL2TPAuthServer" id 1

set auth-server "DefL2TPAuthServer" account-type l2tp 

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "netscreen"

set admin auth timeout 999

set admin auth server "Local"

set admin auth banner telnet login "Private access - Keep out! (Canton, GA)"

set admin auth banner console login "Private access - Keep out! (Canton, GA)"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "DMZ" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

unset zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "DMZ" tcp-rst 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

set zone "Untrust" screen icmp-flood

set zone "Untrust" screen udp-flood

set zone "Untrust" screen winnuke

set zone "Untrust" screen port-scan

set zone "Untrust" screen ip-sweep

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "Untrust" screen syn-frag

set zone "Untrust" screen tcp-no-flag

set zone "Untrust" screen unknown-protocol

set zone "Untrust" screen ip-bad-option

set zone "Untrust" screen ip-record-route

set zone "Untrust" screen ip-timestamp-opt

set zone "Untrust" screen ip-security-opt

set zone "Untrust" screen ip-loose-src-route

set zone "Untrust" screen ip-strict-src-route

set zone "Untrust" screen ip-stream-opt

set zone "Untrust" screen icmp-fragment

set zone "Untrust" screen icmp-large

set zone "Untrust" screen syn-fin

set zone "Untrust" screen fin-no-ack

set zone "Untrust" screen limit-session source-ip-based

set zone "Untrust" screen syn-ack-ack-proxy

set zone "Untrust" screen component-block zip

set zone "Untrust" screen component-block jar

set zone "Untrust" screen component-block exe

set zone "Untrust" screen component-block activex

set zone "Untrust" screen icmp-id

set zone "Untrust" screen ip-spoofing drop-no-rpf-route

set zone "V1-Untrust" screen icmp-flood

set zone "V1-Untrust" screen udp-flood

set zone "V1-Untrust" screen winnuke

set zone "V1-Untrust" screen port-scan

set zone "V1-Untrust" screen ip-sweep

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set zone "V1-Untrust" screen syn-frag

set zone "V1-Untrust" screen tcp-no-flag

set zone "V1-Untrust" screen unknown-protocol

set zone "V1-Untrust" screen ip-bad-option

set zone "V1-Untrust" screen ip-record-route

set zone "V1-Untrust" screen ip-timestamp-opt

set zone "V1-Untrust" screen ip-security-opt

set zone "V1-Untrust" screen ip-loose-src-route

set zone "V1-Untrust" screen ip-strict-src-route

set zone "V1-Untrust" screen ip-stream-opt

set zone "V1-Untrust" screen icmp-fragment

set zone "V1-Untrust" screen icmp-large

set zone "V1-Untrust" screen syn-fin

set zone "V1-Untrust" screen mal-url code-red

set zone "V1-Untrust" screen limit-session source-ip-based

set zone "V1-Untrust" screen syn-ack-ack-proxy

set zone "V1-Untrust" screen icmp-id

set zone "Untrust" screen ip-sweep threshold 30000

set zone "V1-Untrust" screen ip-sweep threshold 30000

set zone "Untrust" screen limit-session source-ip-based 100

set zone "V1-Untrust" screen limit-session source-ip-based 100

set zone "Untrust" screen limit-session destination-ip-based 100

set zone "V1-Untrust" screen limit-session destination-ip-based 100

set zone "Untrust" screen syn-ack-ack threshold 100

set zone "V1-Untrust" screen syn-ack-ack threshold 100

set zone "V1-Untrust" screen syn-flood drop-unknown-mac

set interface "ethernet1" zone "V1-Trust"

set interface "ethernet2" zone "V1-DMZ"

set interface "ethernet3" zone "V1-Untrust"

set interface "ethernet4" zone "V1-Untrust"

set interface vlan1 ip X.X.X.2/24

set interface vlan1 route

set interface ethernet1 bandwidth egress mbw 10000 ingress mbw 10000

set interface ethernet3 bandwidth egress mbw 10000 ingress mbw 10000

set interface ethernet4 bandwidth egress mbw 10000 ingress mbw 10000

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface vlan1 ip manageable

unset interface vlan1 manage telnet

unset interface vlan1 manage ssl

set interface vlan1 manage mtrace

set zone V1-Untrust manage ping

set zone V1-Untrust manage ssh

set zone V1-Untrust manage web

set interface "vlan1" webauth 

set interface "vlan1" webauth-ip X.X.X.4

set zone "V1-Trust" webauth

set zone "V1-Untrust" webauth

unset flow tcp-syn-check

set flow aging low-watermark 70

set flow aging high-watermark 80

set domain AcmeComphosting.net

set hostname firewall1-ga

set webauth banner success "WebAuth Success - don't mess anything up!!!"

set pki authority default cert-status revocation-check none

set pki authority default cert-status ocsp cert-verify hash "0Exxxxxxxxxxxxxx"

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set dns host dns1 12.127.17.71

set dns host dns2 166.102.165.13

set dns host schedule 00:00

set address Trust "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0

set address Untrust "AcmeComp-TX-LAN" x.x.x.0 255.255.255.0

set address Untrust "DCPC-GA-LAN" 192.168.5.0 255.255.255.0

set address Untrust "Acme-GA-LAN" 192.168.0.0 255.255.255.0

set address Untrust "Acme-NJ-LAN" 192.168.1.0 255.255.255.0

set address V1-Trust "Cassie" X.X.X.48 255.255.255.255

set address V1-Trust "Cody" X.X.X.37 255.255.255.255

set address V1-Trust "AcmeComp-Gold-GA-LAN" X.X.X.0 255.255.255.0

set address V1-Trust "AcmeComp-Silver-GA-LAN" X.X.X.184 255.255.255.248

set address V1-Trust "DCI-Asterisk" X.X.X.52 255.255.255.255

set address V1-Trust "DCPC - Area" X.X.X.49 255.255.255.255

set address V1-Trust "DCPC - Citrix" X.X.X.50 255.255.255.255

set address V1-Trust "DRAC1" X.X.X.21 255.255.255.255

set address V1-Trust "Acme - VOIP2" X.X.X.51 255.255.255.255

set address V1-Trust "KVM1" X.X.X.3 255.255.255.255

set address V1-Trust "Leah" X.X.X.24 255.255.255.255

set address V1-Trust "Leah - CP" X.X.X.22 255.255.255.255

set address V1-Trust "Leah - NS" X.X.X.23 255.255.255.255

set address V1-Trust "Mia" X.X.X.25 255.255.255.255

set address V1-Trust "Mia - NS2" X.X.X.26 255.255.255.255

set address V1-Trust "temere2" X.X.X.186 255.255.255.255

set address V1-Trust "temere2-Linux" X.X.X.187 255.255.255.255

set address V1-Trust "VMWare1" X.X.X.20 255.255.255.255

set address V1-Untrust "CB-GA-LAN" 10.11.0.0 255.255.255.0

set address V1-Untrust "Acme-NJ-LAN" 192.168.1.0 255.255.255.0

set address V1-Untrust "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0

set address V1-Untrust "ScottM-AZ-LAN" 192.168.3.0 255.255.255.0

set user "fsmith" uid 2

set user "fsmith" type  auth

set user "fsmith" hash-password "="

set user "fsmith" "enable"

set user "pciccone" uid 1

set user "pciccone" ike-id fqdn "pciccone" share-limit 1

set user "pciccone" type  auth ike

set user "pciccone" password "=="

set user "pciccone" "enable"

set user-group "VPN Access" id 1

set user-group "VPN Access" user "pciccone"

set ike gateway "pciccone-GA-GW" address 0.0.0.0 id "pciccone.dyndns.org" Aggr local-id "pciccone.dyndns.org" outgoing-zone "V1-Untrust" preshare "==" sec-level standard

unset ike gateway "pciccone-GA-GW" nat-traversal

set ike gateway "Dialup VPN" dialup "VPN Access" Aggr outgoing-zone "V1-Untrust" preshare "==" sec-level standard

set ike gateway "Dialup VPN" nat-traversal udp-checksum

set ike gateway "Dialup VPN" nat-traversal keepalive-frequency 5

set ike gateway "CB-VPN-GW" address home.custombytes.biz Main outgoing-zone "V1-Untrust" preshare "==" proposal "pre-g2-aes128-sha"

set ike gateway "Acme-NJ-GW" address vpn.Acme-industries.com Main outgoing-zone "V1-Untrust" preshare "==" sec-level standard

set ike gateway "ScottM-AZ-GW" address scottmoore.dyndns.org Main outgoing-zone "V1-Untrust" preshare "==" proposal "pre-g2-3des-sha"

set ike respond-bad-spi 1

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vpn "pciccone-GA-VPN" gateway "pciccone-GA-GW" replay tunnel idletime 0 sec-level standard

set vpn "pciccone-GA-VPN" monitor optimized rekey

set vpn "Dialup VPN" gateway "Dialup VPN" replay tunnel idletime 0 sec-level standard

set vpn "CB-GA-VPN" gateway "CB-VPN-GW" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 

set vpn "Acme-NJ-VPN" gateway "Acme-NJ-GW" no-replay tunnel idletime 0 sec-level standard

set vpn "Acme-NJ-VPN" monitor

set vpn "ScottM-AZ-VPN" gateway "ScottM-AZ-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 

set attack db server "https://services.netscreen.com/restricted/sigupdates/server"

set attack db schedule daily 00:00

set url fail-mode permit

set url protocol sc-cpa

exit

set anti-spam profile ns-profile

 set sbl default-server enable

exit

set policy id 36 from "V1-Untrust" to "V1-Trust"  "ScottM-AZ-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "ScottM-AZ-VPN" id 16 pair-policy 37 

set policy id 36

exit

set policy id 34 from "V1-Untrust" to "V1-Trust"  "Acme-NJ-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 14 pair-policy 33 

set policy id 34

exit

set policy id 37 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "ScottM-AZ-LAN" "ANY" tunnel vpn "ScottM-AZ-VPN" id 16 pair-policy 36 

set policy id 37

exit

set policy id 33 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Acme-NJ-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 14 pair-policy 34 

set policy id 33

exit

set policy id 23 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "CB-GA-LAN" "ANY" tunnel vpn "CB-GA-VPN" id 9 pair-policy 24 

set policy id 23 disable

set policy id 23

exit

set policy id 24 from "V1-Untrust" to "V1-Trust"  "CB-GA-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "CB-GA-VPN" id 9 pair-policy 23 

set policy id 24 disable

set policy id 24

exit

set policy id 3 from "V1-Untrust" to "V1-Trust"  "PCICCONE-GA-LAN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "pciccone-GA-VPN" id 1 pair-policy 2 

set policy id 3

exit

set policy id 14 from "V1-Untrust" to "V1-Trust"  "Dial-Up VPN" "AcmeComp-Gold-GA-LAN" "ANY" tunnel vpn "Dialup VPN" id 3 pair-policy 13 

set policy id 14

exit

set policy id 2 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "PCICCONE-GA-LAN" "ANY" tunnel vpn "pciccone-GA-VPN" id 1 pair-policy 3 

set policy id 2

exit

set policy id 13 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Dial-Up VPN" "ANY" tunnel vpn "Dialup VPN" id 3 pair-policy 14 

set policy id 13

exit

set policy id 1 from "V1-Trust" to "V1-Untrust"  "AcmeComp-Gold-GA-LAN" "Any" "ANY" permit 

set policy id 1

set src-address "AcmeComp-Silver-GA-LAN"

exit

set policy id 22 from "V1-Untrust" to "V1-Trust"  "Any" "AcmeComp-Gold-GA-LAN" "HTTP" permit 

set policy id 22

set dst-address "AcmeComp-Silver-GA-LAN"

set service "HTTPS"

exit

set policy id 5 from "V1-Untrust" to "V1-Trust"  "Any" "Leah" "IMAP" permit 

set policy id 5

set service "POP3"

set service "SiteStudio"

set service "SMTP"

set service "SSL E-Mail"

exit

set policy id 6 from "V1-Untrust" to "V1-Trust"  "Any" "Leah - NS" "DNS" permit 

set policy id 6

exit

set policy id 7 from "V1-Untrust" to "V1-Trust"  "Any" "Mia" "FTP" permit 

set policy id 7

set service "mySQL"

exit

set policy id 8 from "V1-Untrust" to "V1-Trust"  "Any" "Mia - NS2" "DNS" permit 

set policy id 8

exit

set policy id 9 from "V1-Untrust" to "V1-Trust"  "Any" "Cody" "FTP" permit 

set policy id 9

set service "MS-SQL"

exit

set policy id 35 from "V1-Untrust" to "V1-Trust"  "Any" "Acme - VOIP2" "Asterisk VoIP" permit log 

set policy id 35 application "SIP"

set policy id 35

exit

set policy id 27 from "V1-Untrust" to "V1-Trust"  "Any" "Acme - VOIP2" "FTP" permit 

set policy id 27 application "FTP"

set policy id 27

exit

set policy id 17 from "V1-Untrust" to "V1-Trust"  "Any" "DCPC - Area" "Citrix-ICA" permit 

set policy id 17

set dst-address "DCPC - Citrix"

exit

set policy id 32 from "V1-Untrust" to "V1-Trust"  "Any" "temere2-Linux" "FTP" permit 

set policy id 32

set service "HTTP"

set service "HTTPS"

set service "IRCd"

set service "mySQL"

set service "PING"

set service "Shoutcast"

set service "SSH"

set service "TeamSpeak"

exit

set policy id 12 from "V1-Untrust" to "V1-Trust"  "Any" "AcmeComp-Gold-GA-LAN" "ANY" permit webauth log 

set policy id 12

set dst-address "AcmeComp-Silver-GA-LAN"

set log session-init

exit

set policy id 19 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" deny log 

set policy id 19

exit

unset log module system level information destination internal

unset log module system level debugging destination internal

unset log module system level emergency destination email

unset log module system level alert destination email

unset log module system level critical destination email

unset log module system level notification destination email

unset log module system level emergency destination snmp

unset log module system level alert destination snmp

unset log module system level critical destination snmp

unset log module system level emergency destination syslog

unset log module system level alert destination syslog

unset log module system level critical destination syslog

unset log module system level error destination syslog

unset log module system level warning destination syslog

unset log module system level notification destination syslog

unset log module system level information destination syslog

unset log module system level debugging destination syslog

unset log module system level emergency destination webtrends

unset log module system level alert destination webtrends

unset log module system level critical destination webtrends

unset log module system level notification destination webtrends

unset log module system level emergency destination NSM

unset log module system level alert destination NSM

unset log module system level critical destination NSM

unset log module system level error destination NSM

unset log module system level warning destination NSM

unset log module system level notification destination NSM

unset log module system level information destination NSM

unset log module system level debugging destination NSM

unset log module system level emergency destination pcmcia

unset log module system level alert destination pcmcia

unset log module system level critical destination pcmcia

unset log module system level error destination pcmcia

unset log module system level warning destination pcmcia

unset log module system level notification destination pcmcia

unset log module system level information destination pcmcia

unset log module system level debugging destination pcmcia

set nsmgmt bulkcli reboot-timeout 60

set ssh version v1

set ssh enable

set config lock timeout 5

set ntp server "192.5.41.41"

set ntp server src-interface "ethernet3"

set ntp server backup1 "0.0.0.0"

set ntp server backup2 "0.0.0.0"

set ntp interval 300

set snmp community "public" Read-Only Trap-on  version any

set snmp host "public" X.X.X.0 255.255.255.0 src-interface vlan1 

set snmp location "Atlanta, GA"

set snmp contact "Systems Administrator"

set snmp name "firewall1-ga"

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

set route 0.0.0.0/0 interface vlan1 gateway X.X.X.1 preference 20 permanent

exit

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit
 

-----------------------------------------------------------------------------------------
 

Site B:
 

set clock ntp

set clock timezone -5

set vrouter trust-vr sharable

unset vrouter "trust-vr" auto-route-export

set service "PCAnywhere" protocol tcp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "PCAnywhere" + udp src-port 1-65535 dst-port 5631-5632 

set service "IP Cameras" protocol tcp src-port 1-65535 dst-port 8000-8010 

set service "RDP" protocol tcp src-port 1-65535 dst-port 3389-3389 

set service "LocationFree" protocol tcp src-port 1-65535 dst-port 5021-5021 

set service "SageTV" protocol tcp src-port 1-65535 dst-port 31099-31099 

set service "Asterisk RTP" protocol udp src-port 1-65535 dst-port 30000-32000 

set service "T-Mobile @Home" protocol udp src-port 1-65535 dst-port 500-500 

set service "T-Mobile @Home" + udp src-port 1-65535 dst-port 4500-4500 

set service "Mi Casa Verde" protocol tcp src-port 1-65535 dst-port 8080-8080 

set service "Air Media" protocol tcp src-port 1-65535 dst-port 45631-45631 

set service "Air Media" + udp src-port 1-65535 dst-port 45631-45631 

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "Local" timeout 60

set auth-server "DefL2TPAuthServer" id 1

set auth-server "DefL2TPAuthServer" account-type l2tp 

set auth default auth server "Local"

set auth banner telnet login "Private access - Keep out! (Canton, GA)"

set auth banner ftp login "220 Private access - Keep out! (Canton, GA)"

set auth banner http login "Private access - Keep out! (Canton, GA)"

set admin name "netscreen"

set admin password "xxxx"

set admin auth timeout 999

set admin auth server "Local"

set admin auth banner telnet login "Private access - Keep out! (Canton, GA)"

set admin auth banner console login "Private access - Keep out! (Canton, GA)"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

set zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

unset zone "Untrust" screen tear-drop

unset zone "Untrust" screen syn-flood

unset zone "Untrust" screen ping-death

unset zone "Untrust" screen ip-filter-src

unset zone "Untrust" screen land

set zone "Untrust" screen ip-spoofing drop-no-rpf-route

unset zone "V1-Untrust" screen tear-drop

unset zone "V1-Untrust" screen syn-flood

unset zone "V1-Untrust" screen ping-death

unset zone "V1-Untrust" screen ip-filter-src

unset zone "V1-Untrust" screen land

set zone "Untrust" screen ip-sweep threshold 30000

set zone "V1-Untrust" screen ip-sweep threshold 30000

set interface "trust" zone "Trust"

set interface "untrust" zone "Untrust"

unset interface vlan1 ip

set interface trust ip 10.1.1.1/24

set interface trust nat

set interface untrust ip x.x.x.x/21

set interface untrust route

set interface trust bandwidth 10000

set interface untrust bandwidth 6000

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface trust ip manageable

set interface untrust ip manageable

set interface untrust manage ping

set interface untrust manage ssh

set interface untrust manage snmp

set interface untrust manage ssl

set interface untrust manage web

set interface untrust vip untrust 8000 "HTTP" 10.1.1.110

set interface untrust vip untrust 8001 "HTTP" 10.1.1.111

set interface untrust vip untrust 31099 "SageTV" 10.1.1.99

set interface untrust vip untrust 8002 "HTTP" 10.1.1.112

set interface untrust vip untrust 3389 "RDP" 10.1.1.99

set interface untrust vip untrust 5021 "LocationFree" 10.1.1.100

set interface untrust vip untrust 8080 "HTTP" 10.1.1.97

set interface untrust vip untrust 45631 "Air Media" 10.1.1.99

set interface trust dhcp server service

set interface trust dhcp server enable

set interface trust dhcp server option lease 1440 

set interface trust dhcp server option gateway 10.1.1.1 

set interface trust dhcp server option netmask 255.255.255.0 

set interface trust dhcp server option domainname hsd1.ga.comcast.net. 

set interface trust dhcp server option dns1 68.87.68.166 

set interface trust dhcp server option dns2 68.87.74.166 

set interface trust dhcp server ip 10.1.1.10 to 10.1.1.90 

set interface untrust dhcp-client enable

set flow tcp-mss 1392

set dns host schedule 00:00

set address "Trust" "PCICCONE-GA-LAN" 10.1.1.0 255.255.255.0

set address "Untrust" "CyberWEB-GA-LAN" x.x.x.0 255.255.255.0

set address "Untrust" "CyberWEB-TX-LAN" x.x.x.0 255.255.255.0

set address "Untrust" "DCPC-GA-LAN" 192.168.5.0 255.255.255.0

set address "Untrust" "Acme-GA-LAN" 192.168.0.0 255.255.255.0

set address "Untrust" "Acme-GA2-LAN" 192.168.6.0 255.255.255.0

set address "Untrust" "Acme-NJ-LAN" 192.168.1.0 255.255.255.0

set ike gateway "Acme-NJ-GW" address vpn.Acme-industries.com Main outgoing-interface "untrust" preshare "=" sec-level standard

set ike gateway "DCPC-GA-GW" address vpn.dcpc.biz Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "=" sec-level standard

set ike gateway "Acme-GA-GW" address firewall1-ga.Acme-industries.com Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "==" sec-level standard

set ike gateway "CyberWEB-GA-VPN" address x.x.x.2 Aggr local-id "pciccone.dyndns.org" outgoing-interface "untrust" preshare "=" sec-level standard

set ike respond-bad-spi 1

set vpn "Acme-NJ-VPN" gateway "Acme-NJ-GW" no-replay tunnel idletime 0 sec-level standard

set vpn "DCPC-GA-VPN" gateway "DCPC-GA-GW" no-replay tunnel idletime 0 sec-level standard

set vpn "Acme-GA-VPN" gateway "Acme-GA-GW" no-replay tunnel idletime 0 sec-level standard

set vpn "CyberWEB-GA-VPN" gateway "CyberWEB-GA-VPN" no-replay tunnel idletime 0 sec-level standard

set arp x.x.x.x 00018194c002 "untrust"

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set policy id 26 from "Untrust" to "Trust"  "CyberWEB-GA-LAN" "PCICCONE-GA-LAN" "ANY" nat src tunnel vpn "CyberWEB-GA-VPN" id 38 pair-policy 25 

set policy id 25 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "CyberWEB-GA-LAN" "ANY" tunnel vpn "CyberWEB-GA-VPN" id 38 pair-policy 26 

set policy id 8 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "Acme-GA-LAN" "ANY" tunnel vpn "Acme-GA-VPN" id 19 

set policy id 5 from "Trust" to "Untrust"  "PCICCONE-GA-LAN" "Acme-NJ-LAN" "ANY" tunnel vpn "Acme-NJ-VPN" id 20 

set policy id 20 from "Trust" to "Untrust"  "Any" "Any" "SIP" permit traffic gbw 0 priority 0 

set policy id 20 application "SIP"

set policy id 21 from "Trust" to "Untrust"  "Any" "Any" "Asterisk RTP" permit traffic gbw 0 priority 0 

set policy id 22 from "Trust" to "Untrust"  "Any" "Any" "T-Mobile @Home" permit traffic gbw 0 priority 0 

set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit traffic gbw 0 priority 6 

set policy id 11 from "Untrust" to "Trust"  "Any" "VIP::1" "IP Cameras" permit 

set policy id 12 from "Untrust" to "Trust"  "Any" "VIP::1" "LocationFree" permit 

set policy id 13 from "Untrust" to "Trust"  "Any" "VIP::1" "RDP" permit 

set policy id 14 from "Untrust" to "Trust"  "Any" "VIP::1" "SageTV" permit 

set policy id 24 from "Untrust" to "Trust"  "Any" "VIP::1" "Air Media" permit 

set policy id 23 from "Untrust" to "Trust"  "Any" "VIP::1" "Mi Casa Verde" permit 

set pppoe name "untrust"

set pppoe name "untrust" username "xxx@windstream.net" password "=="

set pppoe name "untrust" idle 0

unset pppoe name "untrust" update-dhcpserver

set pppoe name "untrust" auto-connect 1

set ssh version v2

set ssh enable

set config lock timeout 5

set url fail-mode permit

set ntp server "192.5.41.41"

set ntp server backup1 "0.0.0.0"

set ntp server backup2 "0.0.0.0"

set ntp interval 300

set snmp community "public" Read-Only Trap-on  version any

set snmp host "public" x.x.x.0 255.255.255.0 

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

exit

Open in new window

0
Comment
Question by:philciccone
  • 6
  • 4
10 Comments
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24796267
Any logs to show the dropped raffic at all?

Also I see SIP info int eh config above, but the sip alg is unset.

Have you tried the set sip alg enable

Normally, when we see RTP not passing firewalls, its due to the SIP alg either not being applied or not working properly.  As the SIP portion of the call negotiates the RTP portion, unless the firewall is told what RTP ports are used for the call, it will normally drop the RTP portion after the call set up.

Not sure how the calls work fine without the VPN, but I would give the sip alg a go first here.

Have you ever run "debug flow basic"?  If so, I can provide a we bit more info on the next step which will be to trace the packet as it goes through the firewalls.
0
 

Author Comment

by:philciccone
ID: 24796699
I have found that ALG should be disabled for any attempt at getting SIP to work at all, the VPN is policy based so its not filtering ports, for the hell of it I did enable SIP ALG just to see what happens, no change. Moving on to the debug, I have started with debug flow drop to see if I can get something quicker, and I did but I don't know how to interpret the error "pak has inconsistent tunnel (40000026,ffffffff)". I Google'd the error and in just the few returned results someone else has the exact same problem I have (with no answer), so this has to be related to the issue?

Also keep in mind that if I edit the VPN policy and just re-save it via the GUI audio starts to pass on the call in progress, this has to be a hint to where my mistakes are?

****** 68031.0: <Trust/trust> packet received [60]******

  ipid = 32668(7f9c), @000ba04e

  packet passed sanity check.

  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>

  existing session found. sess token 2

  flow got session.

  flow session id 306

--- more --- 

  post addr xlation: 10.1.1.27->x.x.x.51.

  going into tunnel 40000026.

  flow_encrypt: vector=6765cc.

chip info: PIO. Tunnel id 00000026

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

  out encryption tunnel 40000026 gw:76.97.24.1

  no more encapping needed.

  packet send out to 00015c242501 through untrust

****** 68031.0: 

  packet passed sanity check.

  trust:10.1.1.17/2250->x.x.x.51/30878,17<Root>

  existing session found. sess token 2

  flow got session.

  flow session id 1107

68031.0:   pak has inconsistent tunnel (40000026,ffffffff)
 
 

v**** 68904.0: <Trust/trust> packet received [60]******

  ipid = 54654(d57e), @000b204e

  packet passed sanity check.

  trust:10.1.1.17/2250->x.x.x.51/30878,17<Root>

  existing session found. sess token 2

  flow got session.

  flow session id 1107

68904.0:   pak has inconsistent tunnel (40000026,ffffffff)

****** 68904.0: <Untrust/untrust> packet received [112]******

  ipid = 23881(5d49), @000c904e

  packet passed sanity check.

  untrust:x.x.x.2/3446->76.97.31.8/26226,50<Root>

  existing session found. sess token 3

  flow got session.

  flow session id 233

  flow_decrypt: vector=673b8c.

  Dec: SPI=0d766672, Data=112

  SA tunnel id=0x00000026, flag<00002063>

chip info: PIO. Tunnel id 00000026

ipsec decrypt prepare done

ipsec decrypt set engine done

ipsec decrypt engine released, auth check pass!

--- more --- 

, Data=128

  SA tunnel id=0x00000026, flag<00002063>

chip info: PIO. Tunnel id 00000026

ipsec decrypt prepare done

ipsec decrypt set engine done

ipsec decrypt engine released, auth check pass!

  packet is decrypted

ipsec decrypt done

  untrust:x.x.x.51/30777->10.1.1.27/2253,17<Root>

  existing session found. sess token 3

  flow got session.

  flow session id 703

  post addr xlation: x.x.x.51->10.1.1.27.

  no more encapping needed.

  packet send out to 0004f2036c92 (cached) through trust

****** 68928.0: <Untrust/untrust> packet received [144]******

  ipid = 25127(6227), @000d004e

  packet passed sanity check.

  untrust:x.x.x.2/3446->76.97.31.8/26226,50<Root>

  existing session found. sess token 3

  flow got session.

  flow session id 233

--- more --- 

e3ea), @000b604e

  packet passed sanity check.

  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>

  existing session found. sess token 2

  flow got session.

  flow session id 306

  post addr xlation: 10.1.1.27->x.x.x.51.

  going into tunnel 40000026.

  flow_encrypt: vector=6765cc.

chip info: PIO. Tunnel id 00000026

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

  out encryption tunnel 40000026 gw:76.97.24.1

  no more encapping needed.

  packet send out to 00015c242501 through untrust

Open in new window

0
 

Author Comment

by:philciccone
ID: 24796797
Attached here is Site-A to Site-B with an ffilter set on src-ip and dst-IP of the Asterisk box.
****** 611575.0: <V1-Trust/ethernet1> packet received [60]******

  ipid = 0(0000), @c7d05110

  packet passed sanity check.

  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>

found mac 001121aa1c80 on ethernet3

  flow packet already have session.

  flow session id 31570

  skip ttl adjust for packet from self.

 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 

  going into tunnel 40000001.

  flow_encrypt: enc vector=ba181c.

chip info: PIO. Tunnel id 00000001

=64          

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

  out encryption tunnel 40000001 gw:x.x.x.1

  no more encapping needed

****** 611589.0: <V1-Trust/ethernet1> packet received [60]******

  ipid = 0(0000), @c7d1d910

  packet passed sanity check.

  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>

found mac 001121aa1c80 on ethernet3

  flow packet already have session.

  flow session id 31570

  skip ttl adjust for packet from self.

 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 

  going into tunnel 40000001.

  flow_encrypt: enc vector=ba181c.

chip info: PIO. Tunnel id 00000001

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

1aa1c80 on ethernet3

ypt set engine done

ipsec encrypt engine released

ipsec encrypt done

  out encryption tunnel 40000001 gw:x.x.x.1

  no more encapping needed

****** 611635.0: <V1-Trust/ethernet1> packet received [60]******

  ipid = 0(0000), @c7d17910

  packet passed sanity check.

  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>

found mac 001121aa1c80 on ethernet3

  flow packet already have session.

  flow session id 31570

  skip ttl adjust for packet from self.

 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 

  going into tunnel 40000001.

  flow_encrypt: enc vector=ba181c.

chip info: PIO. Tunnel id 00000001

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

eeded        

****** 611649.0: <V1-Trust/ethernet1> packet received [60]******

  ipid = 0(0000), @c7d11110

  packet passed sanity check.

  v1-trust:x.x.x.51/30878->10.1.1.17/2250,17<Root>

found mac 001121aa1c80 on ethernet3

  flow packet already have session.

  flow session id 31570

  skip ttl adjust for packet from self.

 asic_based_forwarding and ipv4_pre_frag not set, skip pre-frag 

  going into tunnel 40000001.

  flow_encrypt: enc vector=ba181c.

chip info: PIO. Tunnel id 00000001

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

  out encryption tunnel 40000001 gw:x.x.x.1

  no more encapping needed

*

Open in new window

0
 

Author Comment

by:philciccone
ID: 24796959
On Site B I decided to open/save the policy via the web to make the audio start working, I have attached below the debug flow basic of the audio flowing properly, it looks allot different! :)
****** 70387.0: <Trust/trust> packet received [60]******

  ipid = 7154(1bf2), @000b384e

--- more --- 

 3

  flow got session.

  flow session id 259

  flow_decrypt: vector=673b8c.

  Dec: SPI=0d766677, Data=112

  SA tunnel id=0x00000029,ng queue.

  flow ip send net: gw = 10.1.1.17

0029

ipsec decrypt prepare done

ipsec decrypt set engine dipid = 8404(20d4), @000a004e

  packet passed sanity check.

  trust:10.1.1.27/2252->x.x.x.51/30776,17<Root>

  existing session found. sess token 2

  flow got session.

  flow session id 1588

  post addr xlation: 10.1.1.27->x.x.x.51.

  going into tunnel 40000029.

  flow_encrypt: vector=6765cc.

chip info: PIO. Tunnel id 00000029

(vn2)  doing ESP encryption and size =64

ipsec encrypt prepare engine done

ipsec encrypt set engine done

--- more --- 

rust:x.x.x.51/30776->10.1.1.27/2252,17<Root>

  existing session found. sess token 3

  flow got session.

  flow session id 1588

  post addr xlation: x.x.x.51->10.1.1.27.

  no more encapping needed.

  send packet to traffic shaping queue.

  flow ip send net: gw = 10.1.1.17

  flow ip send net: gw = 10.1.1.27

  flow ip send net: gw = 76.97.24.1

  flow ip send net: gw = 76.97.24.1

****** 70403.0: <Untrust/untrust> packet received [1420]******

  ipid = 23356(5b3c), @000da04e

  packet passed sanity check.

  untrust:165.193.54.21/12150->76.97.31.8/2864,6<Root>

  existing session found. sess token 3

  flow got session.

  flow session id 1654

  po encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

--- more --- 

 released

ipsec encrypt done

  out encryption tunnel 40000029 gw:76.97.24.1

  no more encapping needed.

  send packet to traffic shaping queue.

Open in new window

0
 
LVL 18

Expert Comment

by:deimark
ID: 24797231
That does seem a bit odd here.

Can I assume that the asterisk box is on 10.1.1.17?

Also, how are your sessions listed here?>  Are we maybe maxing out some counters?  I only say that as the logs we have here show a lot of the packets coming is being detected as having an existing session and being forwarded accordingly.

Can you have a look at the bottom line of get session to see what you have there.  Also double check the licensing and hardware limits for the sessions, run "get license-key" to confirm this.

What makes it more confusing, that a simple save of an existing vpn is enough to effect a renegotiation and all is good.

Can you let us see the output og get ike cookie and get sa active?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Accepted Solution

by:
philciccone earned 0 total points
ID: 24797453
I found the issue, with some hints you gave me....

Turns out the SIP ALG option exists, but is hidden on the Netscreen-5's - its only available via the command line not the web interface. I "unset sip alg" on the netscreen-5 and it fixed the problem.  I did not put it together that ALG exists on the 5's but only via the command line to turn it off.

As for why the audio started working on the policy reset, my guess is that ALG is reset when you save a policy, i.e. the "SIP state is lost" on the application layer I guess.

Very happy I am! :)
0
 
LVL 18

Expert Comment

by:deimark
ID: 24797491
Hehe, nice find.

BTW, the ns5s will also run up to the latest version of screenos, so if you wanted everything as visible as you can, upgrade to 6.x on all.  (preferably 6.2 IMO)
0
 

Author Comment

by:philciccone
ID: 24797593
I should do that on all my firewalls, but sadly I don't have access to the latest firmware on any of them. :(
0
 
LVL 18

Expert Comment

by:deimark
ID: 24799002
Note, that you can also export the firmware from one firewall to another, with the usual caveat that it needs to be the same model.

Some folk buy a firewall form ebay for example, which happens to have a later version installed form the other firewalls, so you can save the software to tftp and then re import on other units.

Its not a great way to work, especially with the likes of a good enterprise product like juniper, bit some do tend to use this as cheap way of managing a firewall base.

DM
0
 

Author Comment

by:philciccone
ID: 24799215
Appreciate the tip, if the oppertunity arises I will. -- Phil
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now