SIP Protocol Violation

Unanswered Question

We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:


-remote site connected to central site via a vpn tunnel

-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other

-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)

-SIP server is 192.168.14.10 at central site

-Grandstream phones are 172.20.14.0/24 at remote site


The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):


1)phone to server SIP traffic

a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)

b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class

c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes


2)server to phone SIP traffic:

a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)

b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class

c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes


For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.


I have posted this over in the security section of Netpro as well because I realize this is specifically an issue with how the ZBFW config sees the SIP traffic.


Any help would be greatly appreciated. Thanks for your time.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (2 ratings)
Loading.
paolo bevilacqua Tue, 08/04/2009 - 15:55
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

The few times that's used ZBFW, I've seen nothing but trouble.


If you need to keep it, and cannot tell it to leave SIP alone, recommend make a GRE tunnel so FW cannot mess with it.

Thanks so much for your response. If at all possible, I would really like to get the AIC working for SIP traffic between our security zones. At the moment I am L4ing the traffic by matching sip and rtp protocols via pre-defined udp ports. This really opens up my firewall a little more than I would like and doesn't allow me to take advantage of some of the SIP enhancements with ZBFW.


Thanks a lot for your comment. I really appreciate your input.

paolo bevilacqua Wed, 08/05/2009 - 05:06
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You're welcome, please remember to rate useful posts with the scrollbox below.

Actions

This Discussion