One Way Audio Issues and STUN

DustinB3403

@krisleslie said in SIP Desk Phones Not Re-Registering with Main WAN's IP After WAN Fail-back:

Cloud hosted. I will make a new thread. I apologize.

No wait, stop.

Paging @scottalanmiller to fork from here https://mangolassi.it/topic/16604/sip-desk-phones-not-re-registering-with-main-wan-s-ip-after-wan-fail-back/21

JaredBusch

@krisleslie said in One Way Audio Issues and STUN:

Cloud hosted. I will make a new thread. I apologize.

Ok, so one way issues should happen on ext to ext calls too if it was your firewall. It should not be "only" on external calls.

DustinB3403

@JaredBusch I might've missed it, but is @krisleslie system hosted offsite on vultr or some such place?

scottalanmiller

@dustinb3403 said in One Way Audio Issues and STUN:

@JaredBusch I might've missed it, but is @krisleslie system hosted offsite on vultr or some such place?

It's on Rackspace.

scotth

This may or may not help.... I ran into a SIP issue last fall at one of our sites. I found IPS triggers in the logs and created an exception in the IPS which fixed the issue.
This started as a one way audio issue.
Here's a cap of the signature database description. We use Watchguard appliances.

0_1520972420278_SIP IPS signature trigger.png

krisleslie

Scott I caught an article on that also this morning how SIP/ALG and IPS need to both be off. Why is it that the things intended to make things "better" tend to need to be off lol. Then when we add STUN to the equation it can also negate any other changes made due to it!

krisleslie

The SIP/ALG I forgot to turn off last night as I was too busy trying to test out my WDS server

If I stay late tonight and the office is clear, I'm disabling that ALG it seems to be the common cause of all issues and then as far as IPS getting disabled on the Edge Router I dunno how or even if I should!

krisleslie

Hackers are probing us just not in high volume.

scottalanmiller

@krisleslie said in One Way Audio Issues and STUN:

Scott I caught an article on that also this morning how SIP/ALG and IPS need to both be off. Why is it that the things intended to make things "better" tend to need to be off lol. Then when we add STUN to the equation it can also negate any other changes made due to it!

ALG should normally always be off, and Jarod always disables in on ER devices. We've had good luck in it not breaking there (it definitely breaks on every other device we know of.) ALG is not designed to fix anything, AFAIK, it is literally intended to break SIP, it's never fixed anything and there was nothing to fix.

krisleslie

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

scottalanmiller

@krisleslie said in One Way Audio Issues and STUN:

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

Not aware of ALG as any standard. Just an industry option for "break SIP".

JaredBusch

@scottalanmiller said in One Way Audio Issues and STUN:

@krisleslie said in One Way Audio Issues and STUN:

@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol

Not aware of ALG as any standard. Just an industry option for "break SIP".

ALG was part of the SIP Examples RFC (I have read this before but had to google it up again).

https://tools.ietf.org/html/rfc3665

The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.

scottalanmiller

@jaredbusch said in One Way Audio Issues and STUN:

The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.

That's my understanding of it, and how it is implemented. Had no idea there was a standard for that mess.

scotth

I've never turned on ALG. I caught this because I have a catchall proxy at the end of my policies for outgoing TCP/UDP/DNS that might have slipped through my other policies. It makes sure that everything is scanned and IPS hopefully catches what I may have missed.

scotth

I don't like the stock, out of the box -- Allow All to Any
Edit: Outgoing: Allow All to Any

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

scotth

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

@scottalanmiller said in One Way Audio Issues and STUN:

@scotth said in One Way Audio Issues and STUN:

I've never turned on ALG.

On by default, have to manually turn it off.

Not in the Watchguards that I use

We're discussing Ubiquiti here. That's what the OP is using.

scotth

Apologies

scottalanmiller

@scotth said in One Way Audio Issues and STUN:

Apologies

Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.