If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)

Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Netscreen 5-GT & Blueface - The Solution

Blaster99 · 2005-12-23 10:09:48

I've spent a fair bit of time trying to get a Juniper Netscreen 5-GT to pass through SIP traffic correctly including hassling Blueface support so I figured I'll write up my solution in case anyone else ever has to go through this pain too. This will probably work with other VoIP providers too. This is with ScreenOS 5.3.…

23-12-2005 11:09am

#1

Blaster99

Closed Accounts Posts: 2,630 ✭✭✭

Join Date: July 2004

Posts: 2531

I've spent a fair bit of time trying to get a Juniper Netscreen 5-GT to pass through SIP traffic correctly including hassling Blueface support so I figured I'll write up my solution in case anyone else ever has to go through this pain too. This will probably work with other VoIP providers too.

This is with ScreenOS 5.3. SIP support was added in 5.1 so it may work differently in earlier versions, if at all.

My configuration is quite simple. I'm running with a NAT config. The IP phones are inside the NAT.

In order to get this to work, you must:

1. Disable SIP support in the Netscreen

In the web interface, go to Configuration->Advanced->ALG->SIP and untick SIP.

The Netscreen supports tracking NATed VoIP phones and can route incoming traffic on port 5060 to the right device. Blueface doesn't do this, they use the UDP port that you register on. It looks to me as if this SIP implementation is broken in the Netscreen as it seems to mangle the SIP packets so Blueface get two different UDP ports and can't handle incoming calls. So if you want incoming calls, you need to disable SIP to turn the Netscreen into a dumb box.

2. Do Source Translation in the Trust->Untrust policy

Go to Policies and Edit the policy for outgoing traffic from Trust, if you have one for all services. If you have specific policies for different services, then add one for SIP. Go to the Advanced page and tick "Source Translation". The drop-down should be "(DIP on) None (Use Egress Interface IP)" (unless you use a DIP Pool in which case you should choose it).

This is another bug in the Netscreen as far as I'm concerned. If you like me run a NAT on Ethernet1 and set the interface to do NAT, you don't need to set Source Translation in the policy for NAT to work. However, the Netscreen will not allow the RTP connection to be setup unless you specify Source Translation on the Trust->Untrust policy. So the SIP traffic will work fine and the call will be setup, but you can't hear anything.

3. Set the Registration Interval to 60 seconds

Most VoIP devices have a default registration interval of 1 hour. The Netscreen drops the external UDP port sooner than that. I haven't been able to determine what the exact timeout is or how to increase it, so I've configured my VoIP phones to register every 60 seconds. If you don't do this, Blueface will think your device is not available after some period of time and you won't get incoming calls.

0