[asterisk-users] Anyone used WatchGuard SIP ALG?
tony at softins.co.uk
Tue Apr 22 12:26:58 CDT 2014
In article <616B4ECE1290D441AD56124FEBB03D0818EB7AE075 at mailserver2007.nyigc.globe>,
Eric Wieling <EWieling at nyigc.com> wrote:
> I would be very surprised is anyone uses WatchGuard SIP ALG. For the
> past 12 years the advice has always been "Disable SIP ALG and let
> Asterisk do the NAT fixup itself" on any firewall, regardless of brand.
> I wish you the best of luck.
The only way we were able to get that to work was by using the
"media_address" setting within sip.conf to override the IP address in the
; The IP address used for media (audio, video, and text) in the SDP can also be overridden by using
; the media_address configuration option. This is only applicable to the general section and
; can not be set per-user or per-peer.
; media_address = 172.16.42.1
However, this only works if the box is ONLY talking to outside SIP
endpoints, since for some bizarre reason, media_address is global
rather than per-peer. So setting it to the customer's external IP
address renders all internal SIP endpoints non-functional, as they
then receive the external IP address in the SDP.
But as I said, the proper solution to a broken SIP ALG is to fix the
ALG, not just to give up on it. There's no reason it can't be made
to work correctly, and it enables RTP ports to be opened and closed
as required, instead of having a complete range permanently open.
Such a pity WatchGuard is closed-source.
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tony Mountifield
> Sent: Tuesday, April 22, 2014 12:12 PM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] Anyone used WatchGuard SIP ALG?
> In article <CAHE6+j3hb5d8mJfY69F73TVwZus9ZAQrDakt4+iW+tx58_uZ=g at mail.gmail.com>,
> Ishfaq Malik <ish at pack-net.co.uk> wrote:
> > On 22 April 2014 16:24, Tony Mountifield <tony at softins.co.uk> wrote:
> > > Has anyone here used Asterisk inside a WatchGuard firewall, talking
> > > via the WatchGuard SIP Application Layer Gateway to an outside SIP service?
> > >
> > > I have a customer doing just that, and I am 100% convinced there is
> > > a bug in the ALG regarding the media port number it inserts into the
> > > SDP when it rewrites it. However, either they or WatchGuard will not
> > > accept there is a bug, despite my very detailed description of it.
> > >
> > > So if anyone else has any experience of using this product, I'd be
> > > very interested to hear from you. Thanks!
> > >
> > Just about every SIP ALG (Watchguard included) makes things worse or
> > simply not work.
> Maybe, but that doesn't mean the concept is flawed. It should be
> possible to do it correctly.
> > Have you tried to simply disable it?
> Yes, the customer has tried that, but since NAT is involved, the lack of
> SDP rewriting means that the media streams do not get routed correctly.
> But I am specifically looking for people with experience of this
> particular product, rather than for general advice, as I am seeking
> support for my assertion that it has a specific bug that the vendor
> needs to acknowledge and fix.
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org
More information about the asterisk-users