CUPC source port

Unanswered Question
Dec 3rd, 2008
User Badges:

Hi, I have troubles with CUPC (7.0) connecting to CUCM (6.1) and passing third-party FW (CheckPoint NGX R65).

CUPC starts SIP connection on UDP:

SRC port: 50000

DST port: 5060


Does anybody know, if it is possible to configure CUPC, that it will start connection from SRC port 5060 too?

CP support claims that SRC port 50000 it is not by RFC SIP standard and they can not easy change FW kernel inspection behaviour. Thank you for all answers,Andrej

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
William Bell Wed, 12/03/2008 - 22:07
User Badges:
  • Purple, 4500 points or more

I am not the SIP expert but I do not think that the CP is correct in this case. It is true that UDP/TCP port 5060 is use for server agent in typical configurations I am not sure that this is required.


RFC 3261 (http://tools.ietf.org/html/rfc3261)

Section 18.2.1

"...It is also RECOMMENDED that a server listen for requests on the default SIP ports (5060 for TCP and UPD, 5061 for TLS over TCP) on all public interfaces...For any port and interface that a server listens on for UDP, it MUST listen on that same port and interface for TCP"


Note the term "recommended". Yes, standard practice is to use 5060 but if one wants to debate compliancy...


In your case, you are using the recommended server listening port. So, no need to debate the finer points. The next question is the client source port. Again, from RFC 3261, section 18.


Paragraph 2: "...When the connection is

accepted by the transport layer, this index is set to the source IP

address, port number, and transport. Note that, because the source

port is often ephemeral, but it cannot be known whether it is

ephemeral or selected through procedures in [4],..."


This specifically states that the client source ports may be ephemeral (>1024 to ). To me, this means that using src port 50000 is compliant with RFC3261.


You may also want to reference the CUPC release notes:


http://www.cisco.com/en/US/docs/voice_ip_comm/cupc/7_0/english/release/notes/ol15710.html#wp39407


They spell out the port range that CUPC will use for source ports. Note that it is a range of ports that the CUPC client will use. So, if you can convince the security folks to work with you, provide the appropriate range of ports.


Hope this helps.


Regards,

Bill

Actions

This Discussion