Palo Alto Networks Knowledgebase: VOIP Traffic is Being Dropped

VOIP Traffic is Being Dropped

12450
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Resolution

Issue

Topology:  Call Manager------PAN------VoIP

Following an upgrade, the Call Manager is trying to send RST packets to the VoIP phones to re-initiate the connections. The firewall is not aware of the existing sessions and is dropping all the RST Packets.

Resolution

The RST packets are being dropped on the Palo Alto Networks firewall as they are identified as "out-of-order", by the global counters.

To bypass the asymmetric path causing the RST drops, use the following command:

> configure
# set deviceconfig setting tcp asymmetric-path bypass
# Commit

A more detailed bypass can be configured with this command:

# set deviceconfig setting tcp asymmetric-path bypass

+ bypass-exceed-oo-queue   whether to skip inspection of session if out-of-order packets limit is exceeded

+ check-timestamp-option   whether to drop packets with invalid timestamp option

+ favor-new-seg            whether to favor new segments when overlapping happens

+ urgent-data              clear urgent flag in TCP header

owner:  kalavi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clr8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language