Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Q on VoIPo SIP outbound vs. router

  1. #1
    Join Date
    Feb 2010
    Posts
    235

    Default Q on VoIPo SIP outbound vs. router

    Trying this question here before I file a trouble ticket...
    My router's event log (syslog stored internally), has several per minute notices. Each says the router blocked a SIP packet from the Grandstream ATA directed to server 72.51.46.124:5060. This is OUTBOUND.

    My router has firewall settings for SIP/ALG and this is enabled. I assume this is for inbound SIP connections (receiving a call).

    The firewall settings in the router do not have anything specific on blocking ports for OUTBOUND.

    Port-forwarding for inbound seems N/A for this discussion, but it's enabled none the less, to forward to the ATA.

    The exact router message is "SIP ALG rejected packet from 192.168.1.51:5079 to 72.51.46.124:5060" (where .51 is the Grandstream on the LAN) All log messages have the same destination SIP server IP.

    which suggests that the ALG in the router decided the SIP packet is invalid and should not be forwarded to the Internet?

    I also tried putting the ATA in the router's DMZ. No help.

    All this does is quickly fill up my router's log. It may also be a problem when the ATA tries to contact a designated SIP server for registration, but I have no loss of service problems for registration.
    Last edited by stevech; 03-09-2011 at 05:33 PM.

  2. #2
    Join Date
    Feb 2010
    Posts
    221

    Default Re: Q on VoIPo SIP outbound vs. router

    Can you turn ALG off? This is often recommended.
    Steve

  3. #3
    Join Date
    Feb 2010
    Posts
    235

    Default Re: Q on VoIPo SIP outbound vs. router

    Quote Originally Posted by holmes4 View Post
    Can you turn ALG off? This is often recommended.
    Yes, I can turn ALG/SIP off, and a list of others such as MMS, IPsec, PPTP, and RTSP. The latter is used by VoIP for the bearer traffic, right?

    Is the purpose of router-based ALG to avoid the need to do explicit port-forwarding or "triggered" forwarding, etc? I don't know.

  4. #4
    Join Date
    Jan 2009
    Posts
    230

    Default Re: Q on VoIPo SIP outbound vs. router

    VOIPo is sending keep alive packets to keep customers routers ports from closing. Your router settings are set not to reply (permit an outbound packet) to an inbound packet request that is only a single packet reply to a solicitation (similar to blocking WAN ping requests). If you are not having registration issues or call quality issues, I wouldn't worry about it and keep your current configuration.

  5. #5
    Join Date
    Feb 2010
    Posts
    235

    Default Re: Q on VoIPo SIP outbound vs. router

    Quote Originally Posted by voipinit View Post
    Your router settings are set not to reply (permit an outbound packet) to an inbound packet request that is only a single packet reply to a solicitation (similar to blocking WAN ping requests).
    What setting would prohibit a reply initiated by the ATA?

  6. #6
    Join Date
    Jan 2009
    Posts
    230

    Default Re: Q on VoIPo SIP outbound vs. router

    I'll tell you what I know:

    To answer your question it is most likely SIP ALG but I don't know your other options either configurable or not configurable (if any) regarding the routers firewall.

    SIP ALG is supposed to do 3 things (few commercial routers do this well - most don't):

    Open the appropriate ports for VOIP traffic.
    Check VOIP packets to ensure it complies with SIP protocols.
    Allow auditing by producing log messages.

    My guess:
    It appears your router SIP ALG is accepting the incoming keep alive from VOIPo like it should since it is valid VOIP traffic, but is not accepting your ATA's reply (and thus generates a log message). This could be from SIP ALG not recognizing the ATA's reply as VOIP traffic or it not complying with the routers SIP ALG algorithm violating the SIP protocol (either correctly or incorrectly).

  7. #7
    Join Date
    Feb 2010
    Posts
    235

    Default Re: Q on VoIPo SIP outbound vs. router

    Quote Originally Posted by voipinit View Post
    I'll tell you what I know:

    To answer your question it is most likely SIP ALG but I don't know your other options either configurable or not configurable (if any) regarding the routers firewall.

    SIP ALG is supposed to do 3 things (few commercial routers do this well - most don't):

    Open the appropriate ports for VOIP traffic.
    Check VOIP packets to ensure it complies with SIP protocols.
    Allow auditing by producing log messages.

    My guess:
    It appears your router SIP ALG is accepting the incoming keep alive from VOIPo like it should since it is valid VOIP traffic, but is not accepting your ATA's reply (and thus generates a log message). This could be from SIP ALG not recognizing the ATA's reply as VOIP traffic or it not complying with the routers SIP ALG algorithm violating the SIP protocol (either correctly or incorrectly).
    re your last paragraph: I suspect that too- that the Grandstream is generating a packet that the router's ALG outgoing cannot validate. It sees that it's SIP, but something else is invalid.
    I don't think this is related to the incoming from the various VoIOo partner servers - the router is normally set to drop these and not forward, since they serve no purpose in my router. And when I did put the ATA in the DMZ where the incoming are accepted, it made no difference- the outgoing packets from the Grandstream are rejected by the ALG none the less.

    I will check again with VoIPo tech support. I believe that the Grandstream's attempts at outgoing SIP may be registration or keep-alive notices. Last ticket I filed was due to loss of service. VoIPo noted that my ATA wasn't being provisioned. They didn't say why but did the usual hail-mary fix: Upgrade the ATA's firmware version and hope.

  8. #8
    Join Date
    Jan 2009
    Posts
    230

    Default Re: Q on VoIPo SIP outbound vs. router

    What may be happening is the keep alive packet has your local LAN IP as the return IP . Local LAN IP's are not routable, so your router correctly rejects it. This process appears to be working as designed.

  9. #9
    Join Date
    May 2009
    Posts
    325

    Default Re: Q on VoIPo SIP outbound vs. router

    I get a lot of blocked outbound ICMP (Type 3) packets from my ATA, and I have SIP ALG turned off. I was told by support that this is normal.

  10. #10
    Join Date
    Dec 2008
    Posts
    200

    Default Re: Q on VoIPo SIP outbound vs. router

    There are 3 things in play here..
    • SIP ALG - which rewrites SIP header with public IP and public port.
      If this is on and it works correctly then you probably don't need a
      STUN server.

    • Firewall - which inspects UDP/TCP sessions and open/closes port ASAP.
      Probably does other things too. Like DOS attack etc.

    • NAT - which maps and internal IP/port to external IP/port. There are different
      types of NAT. But its mostly about directing/blocking traffic from WAN.

    My guess is probably the Firewall (maybe NAT is involved) that is blocking your outgoing traffic. In your original post you mentioned that it tries to block traffic to 72.51.46.124. That is sip-west.voipwelcome.com. Is that where you are connected to? I thought that server was not up and running.
    Last edited by sr98user; 03-11-2011 at 06:28 AM. Reason: formating...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •