One Way Audio Issues and STUN
-
This may or may not help.... I ran into a SIP issue last fall at one of our sites. I found IPS triggers in the logs and created an exception in the IPS which fixed the issue.
This started as a one way audio issue.
Here's a cap of the signature database description. We use Watchguard appliances. -
Scott I caught an article on that also this morning how SIP/ALG and IPS need to both be off. Why is it that the things intended to make things "better" tend to need to be off lol. Then when we add STUN to the equation it can also negate any other changes made due to it!
-
The SIP/ALG I forgot to turn off last night as I was too busy trying to test out my WDS server
If I stay late tonight and the office is clear, I'm disabling that ALG it seems to be the common cause of all issues and then as far as IPS getting disabled on the Edge Router I dunno how or even if I should!
-
Hackers are probing us just not in high volume.
-
@krisleslie said in One Way Audio Issues and STUN:
Scott I caught an article on that also this morning how SIP/ALG and IPS need to both be off. Why is it that the things intended to make things "better" tend to need to be off lol. Then when we add STUN to the equation it can also negate any other changes made due to it!
ALG should normally always be off, and Jarod always disables in on ER devices. We've had good luck in it not breaking there (it definitely breaks on every other device we know of.) ALG is not designed to fix anything, AFAIK, it is literally intended to break SIP, it's never fixed anything and there was nothing to fix.
-
@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol
-
@krisleslie said in One Way Audio Issues and STUN:
@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol
Not aware of ALG as any standard. Just an industry option for "break SIP".
-
@scottalanmiller said in One Way Audio Issues and STUN:
@krisleslie said in One Way Audio Issues and STUN:
@scottalanmiller WOW can I become one of the IETF that proposes things to break things! I'm sure I can do a good job lol
Not aware of ALG as any standard. Just an industry option for "break SIP".
ALG was part of the SIP Examples RFC (I have read this before but had to google it up again).
https://tools.ietf.org/html/rfc3665
The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.
-
@jaredbusch said in One Way Audio Issues and STUN:
The problem with ALG is that, if I understand how it was originally designed, it is basically a MitM on SIP traffic.
That's my understanding of it, and how it is implemented. Had no idea there was a standard for that mess.
-
I've never turned on ALG. I caught this because I have a catchall proxy at the end of my policies for outgoing TCP/UDP/DNS that might have slipped through my other policies. It makes sure that everything is scanned and IPS hopefully catches what I may have missed.
-
I don't like the stock, out of the box -- Allow All to Any
Edit: Outgoing: Allow All to Any -
@scotth said in One Way Audio Issues and STUN:
I've never turned on ALG.
On by default, have to manually turn it off.
-
@scottalanmiller said in One Way Audio Issues and STUN:
@scotth said in One Way Audio Issues and STUN:
I've never turned on ALG.
On by default, have to manually turn it off.
Not in the Watchguards that I use
-
@scotth said in One Way Audio Issues and STUN:
@scottalanmiller said in One Way Audio Issues and STUN:
@scotth said in One Way Audio Issues and STUN:
I've never turned on ALG.
On by default, have to manually turn it off.
Not in the Watchguards that I use
We're discussing Ubiquiti here. That's what the OP is using.
-
Apologies
-
@scotth said in One Way Audio Issues and STUN:
Apologies
Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.
-
@scottalanmiller said in One Way Audio Issues and STUN:
@scotth said in One Way Audio Issues and STUN:
Apologies
Although nice that WG doesn't turn it on by default, most systems do. Such a bad idea.
I'd have to dig, but I'm fairly sure that I saw a notification in one of the release notes for an update that it was to be left off unless you had a VOIP / SIP vendor who specifically required it.
-
@scotth very few if any tell you to turn it on. I could see maybe a scenario if the SIP provider provided you the equipment then sure if they want it turned on cool, since they may have certified it. But in general it I think the problem is whatever ALG is doing messes up with the firewall and I think basically the traffic is getting probed and flagged!
-
I want to go find the programmer who created ALG and throw him in a cage of lions!
#frustrated!