5 Replies Latest reply on Jul 6, 2015 2:59 PM by jay

    Netvanta 4430 SBC Firewall Issues

    apm New Member

      Having issues with random one way audio issues.  We are using our 4430 SBC as a SIP to SIP (one to one NAT) with nothing fancy.  I have played around with the firewall and cannot figure out how to get the following error messages to go away and not sure why they are not able to establish a data connection.  Please help I have opened a ticket with Adtran and awaiting a response.  Thanks in Advance.

       

      ip firewall

      ip firewall stealth

      no ip firewall alg ftp

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg pptp

      no ip firewall alg h323

      !

      !

      !

      !

      aaa on

      !      

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

       

      qos map Voice 10

        match dscp ef 26 31

        priority percent 50

      !

      qos map QOS2 100

        match any

        bandwidth percent 25

        set dscp 46

      !

      !

      !

      !

      !

      no ethernet cfm

      !

      !

      !

      !

      interface gigabit-eth 0/1

        description LAN

        ip address  192.168.100.200  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        qos-policy out Voice

        no awcp

        no shutdown

      !

      !

      interface gigabit-eth 0/2

        description Public

        ip address  67.59.x.x  255.255.255.192

        ip access-policy SIP

        media-gateway ip primary

        qos-policy out QOS2

        no awcp

        no shutdown

        no lldp send-and-receive

      !

      !      

      !

      !

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to 4430

        permit ip any  any   

      !

      ip access-list extended WAN-Access

        remark Allow list WAN-Access

        permit udp host 216.82.x.x eq 5060 any   

        permit udp host 216.82.x.x eq 5060 any   

        permit udp any  any range 10000 65000  

      !

      !

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface gigabit-ethernet 0/2 overload

      !

      ip policy-class Public

        ! Implicit discard

      !

      ip policy-class SIP

        allow list WAN-Access

       

       

       

      These are the messages that are flooding the console and syslog.

       

      Jun 29 17:09:48  FIREWALL: id=firewall time="2015-06-29 17:09:48" fw= pri=1 rule=19 proto=10133/udp src=67.231.4.102 dst=67.59.x.x msg="Data connection not established from remote from SIP policy-class on interface giga-eth 0/2" agent=AdFirewall

      Jun 29 17:08:24  FIREWALL: id=firewall time="2015-06-29 17:08:24" fw= pri=1 rule=2 proto=22636/udp src=67.59.x.x dst=4.55.10.70 msg="Data connection not established from remote from SELF policy-class on interface Loopback" agent=AdFirewall

      Jun 29 17:11:20  FIREWALL: id=firewall time="2015-06-29 17:11:20" fw= pri=1 rule=15 proto=10143/udp src=192.168.17.10 dst=192.168.100.200 msg="Data connection not established from remote from Private policy-class on interface giga-eth 0/1" agent=AdFirewall

        • Re: Netvanta 4430 SBC Firewall Issues
          cj! Beta_User

          Hi apm:

           

          Are you planning to use RTP media anchoring or NAT audio traffic?

           

          In the SIP policy-class, I think you will need a destination on the allow policy:

          allow list WAN-Access self

           

          Best,

          Chris

            • Re: Netvanta 4430 SBC Firewall Issues
              apm New Member

              Chris,

               

              We are running Media anchoring.  This has been in production for a couple of years and has been having intermittent issues for a long time (I just came on board to help).  We have several Private PBX Trunk's pointed to the SBC on the LAN side and one SIP Carrier on the WAN. 

               

              Thanks,

              Preston

                • Re: Netvanta 4430 SBC Firewall Issues
                  cj! Beta_User

                  The message "Data connection not established from remote" indicates that a passive firewall session has exceeded timeout without having been used.  Search this message in the document IPv6 Firewall Protection in AOS for a more detailed explanation.  I believe you could see such a message in cases where the remote host is not sending RTP, for example.  Could there be an issue with one of the PBXes or the SIP trunk provider with one-way audio or something for which the message is providing an indication?  Perhaps the cause does not lie within the SBC.

                   

                  Did you receive any useful information from ADTRAN Support so far?

                   

                  Chris

                    • Re: Netvanta 4430 SBC Firewall Issues
                      apm New Member

                      Chris,

                      Thanks for the information.  I did get a call from Adtran and cleaned up some issues with the configuration. I needed an additional ACL for Internal-Internal traffic to allow private ranges to each other and upgrade the AOS.  They also gave me a command to limit the amount of Console messages and syslog that I was receiving from the SBC.  From Global Command configuration:

                       

                      ip firewall attack-log threshold xxxxx

                       

                      Thank you for helping it is much appreciated.  Hopefully this will help someone else.

                       

                      Thanks,

                      Preston

                        • Re: Netvanta 4430 SBC Firewall Issues
                          jay Employee

                          I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                          Thanks,


                          Jay