Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
apm
New Contributor II
‎06-29-2015 07:16 PM

Netvanta 4430 SBC Firewall Issues

Having issues with random one way audio issues.  We are using our 4430 SBC as a SIP to SIP (one to one NAT) with nothing fancy.  I have played around with the firewall and cannot figure out how to get the following error messages to go away and not sure why they are not able to establish a data connection.  Please help I have opened a ticket with Adtran and awaiting a response.  Thanks in Advance.

ip firewall

ip firewall stealth

no ip firewall alg ftp

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg pptp

no ip firewall alg h323

!

!

!

!

aaa on

!      

!

!

!

no dot11ap access-point-control

!

!

!

!

!

qos map Voice 10

  match dscp ef 26 31

  priority percent 50

!

qos map QOS2 100

  match any

  bandwidth percent 25

  set dscp 46

!

!

!

!

!

no ethernet cfm

!

!

!

!

interface gigabit-eth 0/1

  description LAN

  ip address  192.168.100.200  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  qos-policy out Voice

  no awcp

  no shutdown

!

!

interface gigabit-eth 0/2

  description Public

  ip address  67.59.x.x  255.255.255.192

  ip access-policy SIP

  media-gateway ip primary

  qos-policy out QOS2

  no awcp

  no shutdown

  no lldp send-and-receive

!

!      

!

!

!

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to 4430

  permit ip any  any   

!

ip access-list extended WAN-Access

  remark Allow list WAN-Access

  permit udp host 216.82.x.x eq 5060 any   

  permit udp host 216.82.x.x eq 5060 any   

  permit udp any  any range 10000 65000  

!

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/2 overload

!

ip policy-class Public

  ! Implicit discard

!

ip policy-class SIP

  allow list WAN-Access

These are the messages that are flooding the console and syslog.

Jun 29 17:09:48  FIREWALL: id=firewall time="2015-06-29 17:09:48" fw= pri=1 rule=19 proto=10133/udp src=67.231.4.102 dst=67.59.x.x msg="Data connection not established from remote from SIP policy-class on interface giga-eth 0/2" agent=AdFirewall

Jun 29 17:08:24  FIREWALL: id=firewall time="2015-06-29 17:08:24" fw= pri=1 rule=2 proto=22636/udp src=67.59.x.x dst=4.55.10.70 msg="Data connection not established from remote from SELF policy-class on interface Loopback" agent=AdFirewall

Jun 29 17:11:20  FIREWALL: id=firewall time="2015-06-29 17:11:20" fw= pri=1 rule=15 proto=10143/udp src=192.168.17.10 dst=192.168.100.200 msg="Data connection not established from remote from Private policy-class on interface giga-eth 0/1" agent=AdFirewall

0 Kudos
Reply
5 Replies
Anonymous
Not applicable
‎06-30-2015 05:26 AM

Re: Netvanta 4430 SBC Firewall Issues

‌Hi apm:

Are you planning to use RTP media anchoring or NAT audio traffic?

In the SIP policy-class, I think you will need a destination on the allow policy:

allow list WAN-Access self

Best,

Chris

0 Kudos
Accept as Solution Reply
apm
New Contributor II
‎06-30-2015 09:31 AM

Re: Netvanta 4430 SBC Firewall Issues

Chris,

We are running Media anchoring.  This has been in production for a couple of years and has been having intermittent issues for a long time (I just came on board to help).  We have several Private PBX Trunk's pointed to the SBC on the LAN side and one SIP Carrier on the WAN. 

Thanks,

Preston

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎06-30-2015 04:50 PM

Re: Netvanta 4430 SBC Firewall Issues

The message "Data connection not established from remote" indicates that a passive firewall session has exceeded timeout without having been used.  Search this message in the document IPv6 Firewall Protection in AOS‌ for a more detailed explanation.  I believe you could see such a message in cases where the remote host is not sending RTP, for example.  Could there be an issue with one of the PBXes or the SIP trunk provider with one-way audio or something for which the message is providing an indication?  Perhaps the cause does not lie within the SBC.

Did you receive any useful information from ADTRAN Support so far?

Chris

0 Kudos
Accept as Solution Reply
apm
New Contributor II
‎06-30-2015 05:01 PM

Re: Netvanta 4430 SBC Firewall Issues

Chris,

Thanks for the information.  I did get a call from Adtran and cleaned up some issues with the configuration. I needed an additional ACL for Internal-Internal traffic to allow private ranges to each other and upgrade the AOS.  They also gave me a command to limit the amount of Console messages and syslog that I was receiving from the SBC.  From Global Command configuration:

ip firewall attack-log threshold xxxxx

Thank you for helping it is much appreciated.  Hopefully this will help someone else.

Thanks,

Preston

Accept as Solution Reply
Anonymous
Not applicable
‎07-06-2015 04:59 PM

Re: Netvanta 4430 SBC Firewall Issues

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,


Jay

0 Kudos
Accept as Solution Reply