No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The U1960 can't register remote server through USG5530s but IP Phone can register case

Publication Date:  2014-10-31 Views:  128 Downloads:  0
Issue Description
The customer uses USG5530S firewall as the gateway device, in the current network, the IP Phone can register remote IMS through USG5530S, but the U1960 device can't register.

The network topology is shown:
Handling Process
The customer sends us the data packets which were captured at the uplink interface of USG5530S.

(1) After I analyzed the captured packets and network topology detailed information(devices’ IP addresses). I find that the IP address (172.20.2.251) of IP Phone was NAT to a public IP address xxx.yyy.156.66 after sent from the USG5530S.So the IP Phone can register normally.

And then check the captured packets releated with U1960 device, the U1960 device's IP address is 172.23.0.3. According to the captured packets, I see that the source IP address of packets which sent from USG5530S are always 172.23.0.3. This IP address is a private IP address, but the IMS server is deployed at the public network. So when the U1960 register packets using a private IP address as source IP address reach the IMS server, the IMS server response packets can't reach the USG5530 device,because there is no route for private IP address in the internet. This is confirmed by the captured packets, all the U1960 register requests didn't receive any reponse from the IMS server.

You can see these information in the following packets :



(2) And then check USG5530S configuration to know if configure NAT for U1960 device IP address 172.23.0.3. After confirmed, The NAT configuration (NAT server) was configured. In that case, the reason of the private IP address didn't be NAT maybe is because of before configure the NAT commands for IP address 172.23.0.3, there was the SIP session which from 172.23.0.3 to xxx.yy.95.12 on the USG5530S already. As long as this session is existing, the follow up register packets will be forwarded directly, didn't be NAT even if USG5530S has configured the NAT for U1960 IP address 172.23.0.3.

If the above is the root cause, need to delete the current SIP session to start the NAT. the command is shown as following:

    <USG5530S>reset firewall session table source global 172.23.0.3
    Or:
    <USG5530S>reset firewall session table source inside 172.23.0.3


After implement the above commands, U1960 device can register the IMS server, this issue is resolved.

Root Cause
The root cause is before configure the NAT commands for IP address 172.23.0.3, there was the SIP session which from 172.23.0.3 to xxx.yy.95.12 on the USG5530S already. As long as this session is existing, the follow up register packets will be forwarded directly, didn't be NAT.
Solution
The solution is to delete the existent SIP session which from 172.23.0.3 to xxx.yy.95.12.
Suggestions
For the NAT function, need to pay attention to the existent session, if there are some sessiones and always have traffic, if you want to the NAT go into effect right now, please delete the existent sessions. 

END