VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
tony at softins.co.uk
Guest
|
 Posted: Tue Apr 22, 2014 10:25 am Post subject: [asterisk-users] Anyone used WatchGuard SIP ALG? |
 |
|
Has anyone here used Asterisk inside a WatchGuard firewall, talking via
the WatchGuard SIP Application Layer Gateway to an outside SIP service?
I have a customer doing just that, and I am 100% convinced there is a bug
in the ALG regarding the media port number it inserts into the SDP when
it rewrites it. However, either they or WatchGuard will not accept there
is a bug, despite my very detailed description of it.
So if anyone else has any experience of using this product, I'd be very
interested to hear from you. Thanks!
Tony
--
Tony Mountifield
Work: tony@softins.co.uk - http://www.softins.co.uk
Play: tony@mountifield.org - http://tony.mountifield.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
ish at pack-net.co.uk
Guest
|
| Posted: Tue Apr 22, 2014 10:32 am Post subject: [asterisk-users] Anyone used WatchGuard SIP ALG? |
|
|
On 22 April 2014 16:24, Tony Mountifield <tony@softins.co.uk (tony@softins.co.uk)> wrote:
| Quote: | Has anyone here used Asterisk inside a WatchGuard firewall, talking via
the WatchGuard SIP Application Layer Gateway to an outside SIP service?
I have a customer doing just that, and I am 100% convinced there is a bug
in the ALG regarding the media port number it inserts into the SDP when
it rewrites it. However, either they or WatchGuard will not accept there
is a bug, despite my very detailed description of it.
So if anyone else has any experience of using this product, I'd be very
interested to hear from you. Thanks!
Tony
--
Tony Mountifield
Work: tony@softins.co.uk (tony@softins.co.uk) - http://www.softins.co.uk
Play: tony@mountifield.org (tony@mountifield.org) - http://tony.mountifield.org
|
Just about every SIP ALG (Watchguard included) makes things worse or simply not work. Have you tried to simply disable it?
--
| Quote: | Ishfaq Malik
Department: VOIP Support
Company: Packnet Limited
t: +44 (0)845 004 4994
f: +44 (0)161 660 9825
e: ish@pack-net.co.uk (ish@pack-net.co.uk)
w: http://www.pack-net.co.uk
Registered Address: PACKNET LIMITED, Duplex 2, Ducie House
37 Ducie Street
Manchester, M1 2JW
COMPANY REG NO. 04920552
|
|
|
| Back to top |
|
|
tony at softins.co.uk
Guest
|
| Posted: Tue Apr 22, 2014 11:12 am Post subject: [asterisk-users] Anyone used WatchGuard SIP ALG? |
|
|
In article <CAHE6+j3hb5d8mJfY69F73TVwZus9ZAQrDakt4+iW+tx58_uZ=g@mail.gmail.com>,
Ishfaq Malik <ish@pack-net.co.uk> wrote:
| Quote: | On 22 April 2014 16:24, Tony Mountifield <tony@softins.co.uk> wrote:
| Quote: | Has anyone here used Asterisk inside a WatchGuard firewall, talking via
the WatchGuard SIP Application Layer Gateway to an outside SIP service?
I have a customer doing just that, and I am 100% convinced there is a bug
in the ALG regarding the media port number it inserts into the SDP when
it rewrites it. However, either they or WatchGuard will not accept there
is a bug, despite my very detailed description of it.
So if anyone else has any experience of using this product, I'd be very
interested to hear from you. Thanks!
|
Just about every SIP ALG (Watchguard included) makes things worse or simply
not work.
|
Maybe, but that doesn't mean the concept is flawed. It should be possible
to do it correctly.
| Quote: | Have you tried to simply disable it?
|
Yes, the customer has tried that, but since NAT is involved, the lack
of SDP rewriting means that the media streams do not get routed correctly.
But I am specifically looking for people with experience of this particular
product, rather than for general advice, as I am seeking support for my assertion
that it has a specific bug that the vendor needs to acknowledge and fix.
Thanks,
Tony
--
Tony Mountifield
Work: tony@softins.co.uk - http://www.softins.co.uk
Play: tony@mountifield.org - http://tony.mountifield.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
EWieling at nyigc.com
Guest
|
| Posted: Tue Apr 22, 2014 11:20 am Post subject: [asterisk-users] Anyone used WatchGuard SIP ALG? |
|
|
I would be very surprised is anyone uses WatchGuard SIP ALG. For the past 12 years the advice has always been "Disable SIP ALG and let Asterisk do the NAT fixup itself" on any firewall, regardless of brand. I wish you the best of luck.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Tony Mountifield
Sent: Tuesday, April 22, 2014 12:12 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Anyone used WatchGuard SIP ALG?
In article <CAHE6+j3hb5d8mJfY69F73TVwZus9ZAQrDakt4+iW+tx58_uZ=g@mail.gmail.com>,
Ishfaq Malik <ish@pack-net.co.uk> wrote:
| Quote: | On 22 April 2014 16:24, Tony Mountifield <tony@softins.co.uk> wrote:
| Quote: | Has anyone here used Asterisk inside a WatchGuard firewall, talking
via the WatchGuard SIP Application Layer Gateway to an outside SIP service?
I have a customer doing just that, and I am 100% convinced there is
a bug in the ALG regarding the media port number it inserts into the
SDP when it rewrites it. However, either they or WatchGuard will not
accept there is a bug, despite my very detailed description of it.
So if anyone else has any experience of using this product, I'd be
very interested to hear from you. Thanks!
|
Just about every SIP ALG (Watchguard included) makes things worse or
simply not work.
|
Maybe, but that doesn't mean the concept is flawed. It should be possible to do it correctly.
| Quote: | Have you tried to simply disable it?
|
Yes, the customer has tried that, but since NAT is involved, the lack of SDP rewriting means that the media streams do not get routed correctly.
But I am specifically looking for people with experience of this particular product, rather than for general advice, as I am seeking support for my assertion that it has a specific bug that the vendor needs to acknowledge and fix.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
tony at softins.co.uk
Guest
|
| Posted: Tue Apr 22, 2014 12:27 pm Post subject: [asterisk-users] Anyone used WatchGuard SIP ALG? |
|
|
In article <616B4ECE1290D441AD56124FEBB03D0818EB7AE075@mailserver2007.nyigc.globe>,
Eric Wieling <EWieling@nyigc.com> wrote:
| Quote: | I would be very surprised is anyone uses WatchGuard SIP ALG. For the
past 12 years the advice has always been "Disable SIP ALG and let
Asterisk do the NAT fixup itself" on any firewall, regardless of brand.
I wish you the best of luck.
|
The only way we were able to get that to work was by using the
"media_address" setting within sip.conf to override the IP address in the
SDP:
; The IP address used for media (audio, video, and text) in the SDP can also be overridden by using
; the media_address configuration option. This is only applicable to the general section and
; can not be set per-user or per-peer.
;
; media_address = 172.16.42.1
However, this only works if the box is ONLY talking to outside SIP
endpoints, since for some bizarre reason, media_address is global
rather than per-peer. So setting it to the customer's external IP
address renders all internal SIP endpoints non-functional, as they
then receive the external IP address in the SDP.
But as I said, the proper solution to a broken SIP ALG is to fix the
ALG, not just to give up on it. There's no reason it can't be made
to work correctly, and it enables RTP ports to be opened and closed
as required, instead of having a complete range permanently open.
Such a pity WatchGuard is closed-source.
Cheers
Tony
| Quote: | -----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Tony Mountifield
Sent: Tuesday, April 22, 2014 12:12 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Anyone used WatchGuard SIP ALG?
In article <CAHE6+j3hb5d8mJfY69F73TVwZus9ZAQrDakt4+iW+tx58_uZ=g@mail.gmail.com>,
Ishfaq Malik <ish@pack-net.co.uk> wrote:
| Quote: | On 22 April 2014 16:24, Tony Mountifield <tony@softins.co.uk> wrote:
| Quote: | Has anyone here used Asterisk inside a WatchGuard firewall, talking
via the WatchGuard SIP Application Layer Gateway to an outside SIP service?
I have a customer doing just that, and I am 100% convinced there is
a bug in the ALG regarding the media port number it inserts into the
SDP when it rewrites it. However, either they or WatchGuard will not
accept there is a bug, despite my very detailed description of it.
So if anyone else has any experience of using this product, I'd be
very interested to hear from you. Thanks!
|
Just about every SIP ALG (Watchguard included) makes things worse or
simply not work.
|
Maybe, but that doesn't mean the concept is flawed. It should be
possible to do it correctly.
| Quote: | Have you tried to simply disable it?
|
Yes, the customer has tried that, but since NAT is involved, the lack of
SDP rewriting means that the media streams do not get routed correctly.
But I am specifically looking for people with experience of this
particular product, rather than for general advice, as I am seeking
support for my assertion that it has a specific bug that the vendor
needs to acknowledge and fix.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
Tony Mountifield
Work: tony@softins.co.uk - http://www.softins.co.uk
Play: tony@mountifield.org - http://tony.mountifield.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
