Try Out the New 3CX SIP ALG - Firewall Check

Discussion in '3CX Phone System - General' started by stefan, Aug 8, 2017.

Thread Status:
Not open for further replies.
  1. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,198
    Likes Received:
    79
    Continue reading the Original Blog Post.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    teldata1 likes this.
  2. AdamTTG

    Joined:
    Apr 3, 2017
    Messages:
    6
    Likes Received:
    10
    An external application which does the same would be great, so it can be used at test sites to make sure SIP ALG is off.
     
    nb and StefanW like this.
  3. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,198
    Likes Received:
    79
    dont worry, we will have you covered in the second step to ensure a remote side is running SIP ALG or not....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    pmterp and teldata1 like this.
  4. AdamTTG

    Joined:
    Apr 3, 2017
    Messages:
    6
    Likes Received:
    10
  5. jem1

    Joined:
    Aug 29, 2012
    Messages:
    77
    Likes Received:
    30
    I have a suspicion that one of our customers on 3CX who has issues (the SIP provider had to put in work arounds) has SIP ALG running on the ISP end as the ISP admitted they used Mikrotiks and at least one has SIP ALG running, I can't wait for this check to be built in plus the second part, I'd love to test it and then fire back at the ISP because they have caused our customer so much grief with VoIP registrations dropping.
     
    Nick Galea and nb like this.
  6. StefanW

    StefanW Head of Customer Support and Training
    Staff Member 3CX Support

    Joined:
    Jun 2, 2009
    Messages:
    1,198
    Likes Received:
    79

    it is already in the beta, just start the firewall checker from the Dashboard again and it is there! But you pin pointed the reason out why we added it!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. jem1

    Joined:
    Aug 29, 2012
    Messages:
    77
    Likes Received:
    30
    Not going to put a customer on beta release. However I am running it at home with a Sophos XG Firewall and it had SIP alg turned on by default and it can only be turned off by CLI.

    https://community.sophos.com/kb/en-us/123523

    After i unloaded the SIP module the SIP alg detector did not find SIP ALG anymore!

    Also our Barracuda F80 firewall has SIP ALG turned on by default in the rules, when I get a chance i'll test it here at work, as the rules are turned off at the moment and we have SP1 Beta loaded.
     
    Nick Galea, nb and StefanW like this.
  8. 3puntozero

    Joined:
    Jul 2, 2010
    Messages:
    6
    Likes Received:
    1
    The test fails with pfSense firewall.
    The version I've checked is 2.3.4-RELEASE-p1
     
  9. GarethM

    Joined:
    Apr 10, 2017
    Messages:
    6
    Likes Received:
    1
    SIP ALG test fails with TP-Link WD9977, confirmed SIP ALG unticked in router advanced settings
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. 3puntozero

    Joined:
    Jul 2, 2010
    Messages:
    6
    Likes Received:
    1
    The test fails with cloud servers hosted by OVH too.
     
    nb likes this.
  11. Steven Cage

    Joined:
    Feb 8, 2017
    Messages:
    8
    Likes Received:
    4
    The 'Detecting SIP ALG' test fails with a Cisco Meraki MX80.
     
    nb likes this.
  12. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    You care only to see if there is a sip alg on the network bordering the pbx. You do not need to test other sites. At least for now.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    yes keep us informed.. it is a ginormous task to test sip alg logic behind all possible fw so any feedback will be greatly appreciated.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Network Emad likes this.
  14. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    Cisco device.. Sometimes you need to turn it ON and it is for the world OFF. And OFF is for the world ON.. It is strange but I have seen devices do sip transformations with the sip alg option off!!! Weird but true..

    Do you have sip alg on and the 3CX Checker did not detect it? Maybe it gets enabled only when you make a call. Prove it is on and doing transformations by capturing a call. Maybe it is on and it does nothing.,. I have seen cases like this also.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    This should work. Maybe you have port issues in the first place. this has to work so you have something either in the ovh configuration or something else in the network.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Tim H

    Joined:
    Aug 11, 2017
    Messages:
    7
    Likes Received:
    0
    Running C3X 15.5.5 behind at Cisco SA540 Security Appliance and although I have the firewall configured and SIP ALG Off, I cannot get the firewall test to pass.

    I did try the SIP ALG enabled and disabled and it fails both way.

    Any help or thoughts appreciated.
     

    Attached Files:

  17. Frick

    Joined:
    Jun 2, 2017
    Messages:
    8
    Likes Received:
    3
    The SIP ALG is failing on my Sophos XG firewall. I have the SIP Helper on the firewall disabled and do not have any audio issues (I do if I enable the SIP Helper), so I am assuming it is a false positive.
     
  18. Paul Mul

    Joined:
    May 2, 2017
    Messages:
    1
    Likes Received:
    0
    Upgraded to 3CX 15.5.5 behind a Draytek 2860 Firewall/Router. Detecting SIP ALG Failed when running Firewall Test. I can confirm that the Firewall Test passed before I performed the upgrade.

    I tried the same on a new install in a new site with the same results (Detecting SIP ALG Failed)

    Any advise helpful.
     
  19. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,381
    Likes Received:
    278
    Please try again now and see if that works now. There was an issue with the servers services and it is now resolved
     
  20. gulib

    Joined:
    Aug 3, 2017
    Messages:
    24
    Likes Received:
    2
    It works correctly now. Shows "Not Detected" on google compute engine. thnk you.
     
    accentlogic likes this.
Thread Status:
Not open for further replies.