The issue of VoIP Phone in one of the directions when the flows through the USG firewall gateway

Publication Date:  2013-12-25 Views:  251 Downloads:  0
Issue Description
The customer uses USG2210 and USG2110 as the network gateways, and the service is VoIP phone.But he meets a issue like that the person in HQ can hear the branch voice,but the branch can’t hear the HQ voice.
Alarm Information
None
Handling Process
(1) Check the basic route configuration, I use the command “ping” to test the network route, and find the network is normal.

(2) To check whether VoIP service uses multicenter protocol and the USG configuration. After analyze the configuration of two firewalls, I find that there isn’t any NAT configuration. So the NAT ALG feature doesn’t need be configured.

(3) After the above analyze and check, I find that the route and NAT ALG configuration is correct. And then I think that whether some VoIP data packets are dropped in the firewalls. So I tell customer to help me doing a call test, at the same time collect the firewall sessions in the 2 devices. After analyze the sessions, I find that the data packets are forwarded by the firewalls, there isn't packets drop. Some sessions as following:

Branch firewall sessions:
[Gribbles-pen]display firewall session table verbose high-priority global 10.29.32.100
  udp,
  10.29.32.100:21009<--x.29.18.95:21015
  trust<--untrust,    Receive interface: Tunnel1
  Send interface: Vlanif10,    Next-hop: 10.29.32.100
  tag: 0x1080,    State: 0x58,    ttl:  00:02:00    left:  00:01:59 VpnId:0
  InTotalPkt:8,  InTotalByt:948,  OutTotalPkt:8,  OutTotalByt:
  udp,
  10.29.32.100:21008-->x.29.18.95:21014
  trust-->untrust,    Receive interface: Vlanif10
  Send interface: Tunnel1,    Next-hop: 172.29.18.95
  tag: 0x11080,    State: 0x58,    ttl:  00:02:00    left:  00:02:00 VpnId:0
  InTotalPkt:855,  InTotalByt:68400,  OutTotalPkt:863,  OutTotalByt:69040   

HQ firewall session:
[Gribble-Tecna-HQ]display firewall  session table  verbose  destination global x.29.18.95   
12:11:09  2013/11/27
Current Total Sessions : 3
  udp  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:02:00  Left: 00:01:59
  Interface: Vlanif21  NextHop: 1.1.1.2  MAC: 00-24-a8-3a-cb-00
  <--packets:476 bytes:38192   -->packets:477 bytes:38188  
  10.29.32.100:21008-->x.29.18.95:21014

[Gribble-Tecna-HQ]display firewall  session table  verbose  destination global 10.29.32.100    
12:11:58  2013/11/27
Current Total Sessions : 3
  udp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:02:00  Left: 00:01:58
  Interface: Tunnel11  NextHop: 10.29.32.100  MAC: 00-00-00-00-00-00
  <--packets:14 bytes:1616   -->packets:16 bytes:1896              
  x.29.18.95:21015-->10.29.32.100:21009

(4) As per the above VoIP sessions which collected from the 2 firewalls, when the call test , the count of data packets from branch phone to HQ phone is much more than the count from HQ phone to branch phone. And for the one session in the 2 firewall, the data packets are nearly the same. So the firewalls don’t drop any packets.
According to the above analysis, the issue root cause maybe is the HQ phone has some problem, and then the phone sends a few packets to the branch phone. So that the branch side can’t hear the HQ voice.
Root Cause
According to the issue point, in the network layer, the following reasons maybe bring about the issue:
(1) The route of HQ to branch is incorrect, especially, the VoIP service maybe uses the multicenter protocol, it is possible that there are some route missing;
(2) Maybe the NAT feature is used in firewall, but the NAT ALG feature isn't enabled.
Suggestions
Solution:
     As customer's feedback, the root cause is the HQ phone is broken, the customer is going to change it or repair it. The issue isn't relationship with the firewall device.

Suggestions:
     The firewall is the middle network device, under the complex service condition; we need to understand the service feature and principle. This will help us to solve the issue.

END