<br><br><div class="gmail_quote">2008/10/23 Kristian Kielhofner <span dir="ltr"><<a href="mailto:kkielhofner@star2star.com">kkielhofner@star2star.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">Most of the "anything but simple PAT" devices I've seen that implement</div>
any SIP specific fixups usually end up breaking something along the<br>
line. Unless the product is from a company where SIP is their core<br>
competency (like Ingate, or /maybe/ Cisco) it's best to stay away<br>
and/or disable the SIP specific fixups wherever possible.<br></blockquote></div><br><div><br></div><div>CISCO PIX's SIP "fixup" stuff breaks authentication from a SIP device if the SIP device is using an IP address for the proxy and not a DNS name.</div>
<div><br></div><div>This is because the PIX rewrites the proxy's IP address where-ever it is seen. And that includes inside the authentication challenge line. (The PIX appears to do a literal search-and-replace in the SIP headers). Which means the authentication fails. </div>
<div><br></div><div>We hit this twice with customers. Unfortunately long enough apart that I had to debug it all over again because I forgot about it...</div><div><br></div><div>The workaround is to use a DNS name to address the proxy.</div>
<div><br></div><div>So its definitely not just Sonicwall.</div><div><br></div><div>Steve</div><div><br></div>