08-04-2009 03:52 PM - edited 03-15-2019 07:13 PM
We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:
-remote site connected to central site via a vpn tunnel
-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other
-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)
-SIP server is 192.168.14.10 at central site
-Grandstream phones are 172.20.14.0/24 at remote site
The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):
1)phone to server SIP traffic
a)Aug 4 11:16:19 207.201.235.14 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)
b)Aug 4 11:16:19 207.201.235.14 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class
c)Aug 4 11:16:19 207.201.235.14 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes
2)server to phone SIP traffic:
a)Aug 4 11:16:19 207.201.235.14 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)
b)Aug 4 11:16:19 207.201.235.14 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class
c)Aug 4 11:16:20 207.201.235.14 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes
For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.
I have posted this over in the security section of Netpro as well because I realize this is specifically an issue with how the ZBFW config sees the SIP traffic.
Any help would be greatly appreciated. Thanks for your time.
08-04-2009 03:55 PM
The few times that's used ZBFW, I've seen nothing but trouble.
If you need to keep it, and cannot tell it to leave SIP alone, recommend make a GRE tunnel so FW cannot mess with it.
08-04-2009 04:10 PM
Thanks so much for your response. If at all possible, I would really like to get the AIC working for SIP traffic between our security zones. At the moment I am L4ing the traffic by matching sip and rtp protocols via pre-defined udp ports. This really opens up my firewall a little more than I would like and doesn't allow me to take advantage of some of the SIP enhancements with ZBFW.
Thanks a lot for your comment. I really appreciate your input.
08-05-2009 05:06 AM
You're welcome, please remember to rate useful posts with the scrollbox below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide