407 Proxy Authentication Required when Firewall SIP ALG Enabled

[Martyn]

All,

 

Has anyone come across the issue, where when you enable the SIP ALG in a firewall (in this case a Vigor 2920) you receive a 407 error on the handset when trying to make an outbound call?

 

Trace with Vigor SIP ALG Enabled

[8] 2013/02/01 00:51:53: Call from an user 107

[8] 2013/02/01 00:51:53: From user 107

[8] 2013/02/01 00:51:53: Call state for call object 22: idle

[5] 2013/02/01 00:51:53: Dialplan "Standard": Match 9xxxxxxxxxxx@xxx.xx.x.xxx to sip:xxxxxxxxxxx@xxx.xxx.xxx.xxx;user=phone on trunk Orbtalk

[8] 2013/02/01 00:51:53: Allocating for call port 93, SIP call id c004af05@pbx

[5] 2013/02/01 00:51:53: set codec: codec pcma/8000 is set to call-leg 92

[7] 2013/02/01 00:51:53: Call c004af05@pbx: Clear last INVITE

[5] 2013/02/01 00:51:53: INVITE Response 407 Proxy Authentication Required: Terminate c004af05@pbx

[8] 2013/02/01 00:51:53: Clearing call port 93, SIP call id c004af05@pbx

[8] 2013/02/01 00:51:53: Remove leg 94: call port 93, SIP call id c004af05@pbx

[8] 2013/02/01 00:51:54: Clearing call port 92, SIP call id 3c3b99ec3d46-gdx883ihv2qz

[8] 2013/02/01 00:51:54: Remove leg 93: call port 92, SIP call id 3c3b99ec3d46-gdx883ihv2qz

[8] 2013/02/01 00:57:13: Allocating for call port 94, SIP call id 3c3b9b2c6c24-epy3o4fuw20l

 

Trace with Vigor SIP ALG Disabled

[8] 2013/02/01 00:57:13: Call from an user 107

[8] 2013/02/01 00:57:13: From user 107

[8] 2013/02/01 00:57:13: Call state for call object 23: idle

[5] 2013/02/01 00:57:13: Dialplan "Standard": Match 9xxxxxxxxxxx@xxx.xx.x.xxx to sip:xxxxxxxxxxx@xxx.xxx.xxx.xxx;user=phone on trunk Orbtalk

[8] 2013/02/01 00:57:13: Allocating for call port 95, SIP call id 4e563542@pbx

[5] 2013/02/01 00:57:13: set codec: codec pcma/8000 is set to call-leg 94

[8] 2013/02/01 00:57:14: Call state for call object 23: alerting

[7] 2013/02/01 00:57:15: Call 4e563542@pbx: Clear last INVITE

[5] 2013/02/01 00:57:15: set codec: codec pcma/8000 is set to call-leg 95

[8] 2013/02/01 00:57:15: Call state for call object 23: connected

[8] 2013/02/01 00:57:19: Clearing call port 95, SIP call id 4e563542@pbx

[8] 2013/02/01 00:57:19: Remove leg 96: call port 95, SIP call id 4e563542@pbx

[7] 2013/02/01 00:57:19: Call 3c3b9b2c6c24-epy3o4fuw20l: Clear last request

[5] 2013/02/01 00:57:19: BYE Response: Terminate 3c3b9b2c6c24-epy3o4fuw20l

[8] 2013/02/01 00:57:19: Clearing call port 94, SIP call id 3c3b9b2c6c24-epy3o4fuw20l

[8] 2013/02/01 00:57:19: Remove leg 95: call port 94, SIP call id 3c3b9b2c6c24-epy3o4fuw20l

 

For reference, we use exactly the same firewall with SIP ALG enabled with a Linksys SPA9000 and it its rock solid and does not have the issue.

 

Thanks in advance

 

Martyn

[Vodia PBX]

If you want to answer the challenge from the firewall AND from the provider you obviously need two username/passwords. Right now, the PBX has only one. The multiple proxy authentication was specified in the RFC from day one; however I believe that only very few SIP implementations are able to deal with several username and passwords. Also, considering that many SIP registrations use TLS anyway, I don't see the security gain with this exercise.

[Martyn]

If you want to answer the challenge from the firewall AND from the provider you obviously need two username/passwords. Right now, the PBX has only one. The multiple proxy authentication was specified in the RFC from day one; however I believe that only very few SIP implementations are able to deal with several username and passwords. Also, considering that many SIP registrations use TLS anyway, I don't see the security gain with this exercise.

I'm not sure where you are coming from here, AFAIK the SIP ALG on the Vigor does not present any challenge back to the SnomONE as it is transparent in its operation, hence why i don't have the issue with my other customers PBX and also why I don't have any issue with it enabled on 2 x further Virtual IPPBX services we have deployed. An ALG should be transparent and not a 'full' proxy which would require usernames and password to operate. An ALG should only rewrite the header information to allow correct NAT transversal for datagrams that require it.

 

Regards

 

Martyn

[Vodia PBX]

LoL. Yes in theory the ALG should be transparent. But we had to find out that many SIP ALG vendors act after the motto "if I don't understand it, I'll block it". That is where TLS comes into play. TLS has the advantage that the ALG has no chance to see the SIP packet and start messing with it. The ALG does not have to patch the packets for snom ONE anyway, as the SBC does all neccessary steps to deal with devices behind NAT.

 

Bottom like: Use PnP for phones as much as possible. If you use the automatic provisioning, the PBX will set the phones to use TLS anyway (well, for snom phones). Then the ALG will be taken out of the picture.

[Martyn]

LoL. Yes in theory the ALG should be transparent. But we had to find out that many SIP ALG vendors act after the motto "if I don't understand it, I'll block it". That is where TLS comes into play. TLS has the advantage that the ALG has no chance to see the SIP packet and start messing with it. The ALG does not have to patch the packets for snom ONE anyway, as the SBC does all neccessary steps to deal with devices behind NAT.

 

Bottom like: Use PnP for phones as much as possible. If you use the automatic provisioning, the PBX will set the phones to use TLS anyway (well, for snom phones). Then the ALG will be taken out of the picture.

Hi,

 

Yes, agreed. I've even found the Vigor SIP ALG has different effects from one model to the next.

 

I would use TLS, however the ITSP (Orbtalk) doesn't appear to support it. Its something i'll be asking them tomorrow, but when I configure it via the proxy address in the trunk interface configuration using '<sip gw ip address>:5061;transport=tcp' i get a 408 error.

 

Regards

 

Martyn

[Vodia PBX]

I think for right now, the easiest solution is to disable the ALG. TLS is practically not supported by the SIP service providers (sad but true).