Anyone out there got a SIP phone (mine's a Cisco 7940) to work through a VPN with a Netscreen 5gt? It has always worked for me with any ScreenOS version 4.x. I had the need to upgrade it to ScreenOS 5.x and it breaks the phone. Here's the goofy part, it works enough to still register with the phone system and check if there is voicemail waiting. But I get no audio on outbound calls. Inbound calls seem to work OK. The netscreen is not in NAT mode, but in route mode. When the phone system talks to the phone at home, it uses the home LAN address. In debug mode, the phone system doesn't seem to notice anything is wrong. I don't know if this means anything or not, but... On the phone system, if I do a "nmap -sU -p5060 <homephoneip>" it comes back with the port is open. If I do the same thing from my home PC and nmap the SIP port on the phone system, it comes back "open|filtered" which I think means no UDP packet is returning. SSH to the phone system works fine from home. I also noticed that NTP os broken on the phone, so something is wrong with UDP. I found a really good article from someone having the same issues but it made no difference for me. I have a support contract through Juniper, but they still have not found any resolution. Here's the sip.conf section. I tried some variations with canreinvite and some things, but it didn't help. This has worked for me over a year like this. Anyone got any ideas? Thanks! Mark [1426] type=friend username=123456 secret=123456 host=dynamic ;canreinvite=no ;disallow=all ;allow=ulaw,alaw ;dtmfmode=inband ;nat=never context=office mailbox=1426@home linelabel="First Last" callerid=First Last <1426> line => 1426
ScreenOS 5.0x and 5.1x has some issues wit SIP. Try the policies I have listed below. set policcy id 1001 from "Trust" to "Trust" "Local" "Remote" "SIP" permit log count set policy id 1001 application "IGNORE" set policy id 1002 from "Trust" to "Trust" "Remote" "Local" "SIP" permit log count set policy id 1002 application "IGNORE" I am running 5.2r1 without any issues but I have turned off any application deep scanning. unset alg sql unset alg q931 unset alg h245 unset alg ras unset alg sip -Chip -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Mark Johnson Sent: Thursday, November 10, 2005 9:15 AM To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] SIP and VPN Anyone out there got a SIP phone (mine's a Cisco 7940) to work through a VPN with a Netscreen 5gt? It has always worked for me with any ScreenOS version 4.x. I had the need to upgrade it to ScreenOS 5.x and it breaks the phone. Here's the goofy part, it works enough to still register with the phone system and check if there is voicemail waiting. But I get no audio on outbound calls. Inbound calls seem to work OK. The netscreen is not in NAT mode, but in route mode. When the phone system talks to the phone at home, it uses the home LAN address. In debug mode, the phone system doesn't seem to notice anything is wrong. I don't know if this means anything or not, but... On the phone system, if I do a "nmap -sU -p5060 <homephoneip>" it comes back with the port is open. If I do the same thing from my home PC and nmap the SIP port on the phone system, it comes back "open|filtered" which I think means no UDP packet is returning. SSH to the phone system works fine from home. I also noticed that NTP os broken on the phone, so something is wrong with UDP. I found a really good article from someone having the same issues but it made no difference for me. I have a support contract through Juniper, but they still have not found any resolution. Here's the sip.conf section. I tried some variations with canreinvite and some things, but it didn't help. This has worked for me over a year like this. Anyone got any ideas? Thanks! Mark [1426] type=friend username=123456 secret=123456 host=dynamic ;canreinvite=no ;disallow=all ;allow=ulaw,alaw ;dtmfmode=inband ;nat=never context=office mailbox=1426@home linelabel="First Last" callerid=First Last <1426> line => 1426 _______________________________________________ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
The example I gave was going over a VPN with tunnel terminating in the trusted zone. Put the polices how our traffic traverse through the netscreen. I would config a policy for trust to untrust traffic and for untrust to trust or untrust to global if you have MIPing going on. -chip -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Mark Johnson Sent: Thursday, November 10, 2005 12:09 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] SIP and VPN Lists Pleasants wrote:>ScreenOS 5.0x and 5.1x has some issues wit SIP. Try the policies Ihave>listed below. > >set policcy id 1001 from "Trust" to "Trust" "Local" "Remote" "SIP" >permit log count >set policy id 1001 application "IGNORE" >set policy id 1002 from "Trust" to "Trust" "Remote" "Local" "SIP" >permit log count >set policy id 1002 application "IGNORE" > >I am running 5.2r1 without any issues but I have turned off any >application deep scanning. > >unset alg sql >unset alg q931 >unset alg h245 >unset alg ras >unset alg sip > >-Chip > > > >Why do you go from Trust to Trust in your policies? I tried that and the phone won't work at all. The only way to get it to register is for me to put Remote as an Untrust zone. Thanks! Mark _______________________________________________ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users