SIP Protocol Violation

snetherland · ‎08-04-2009

We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:

-remote site connected to central site via a vpn tunnel

-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other

-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)

-SIP server is 192.168.14.10 at central site

-Grandstream phones are 172.20.14.0/24 at remote site

The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):

1)phone to server SIP traffic

a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)

b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class

c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes

2)server to phone SIP traffic:

a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)

b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class

c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes

For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.

I have posted this over in the security section of Netpro as well because I realize this is specifically an issue with how the ZBFW config sees the SIP traffic.

Any help would be greatly appreciated. Thanks for your time.

paolo bevilacqua · ‎08-04-2009

The few times that's used ZBFW, I've seen nothing but trouble.

If you need to keep it, and cannot tell it to leave SIP alone, recommend make a GRE tunnel so FW cannot mess with it.

snetherland · ‎08-04-2009

Thanks so much for your response. If at all possible, I would really like to get the AIC working for SIP traffic between our security zones. At the moment I am L4ing the traffic by matching sip and rtp protocols via pre-defined udp ports. This really opens up my firewall a little more than I would like and doesn't allow me to take advantage of some of the SIP enhancements with ZBFW.

Thanks a lot for your comment. I really appreciate your input.

paolo bevilacqua · ‎08-05-2009

You're welcome, please remember to rate useful posts with the scrollbox below.