SG300 switches behind Barracuda X400 FW

[DrB0b]

Hello all this is not going to be an easy question to answer but I hope someone will chime in and point me in some direction.

The basic layout of our system is ISP - Barracuda X400 FW - 8 individual Cisco SG300 switches - PCs/Phones/printers/etc. We are moving to 8x8 Cloud VoIP and apparently there is an issue between how the X400 randomizes the NAT port for outbound traffic and sometimes the VoIP phones work fine and other times there is just dead air. I have been in contact with Barracuda and they assure me that I have my VoIP rule set correctly. Another wrench in the equation is that we have all but 3 softphones in the building, meaning that all of our IPs are our PCs. If we were dealing with hard phones this would be easy, put all traffic on a different subnet and point its gateway wherever. But we need all but the VoIP traffic to go through the Barracuda still.

We have two subnets that the phones will operate on: 10.0.4.x and 10.0.2.x. Hard phones are on .2 and all soft phones and PCs are on .4.

So now enter my conundrum. We have an old Watchguard FW that we are wanting to push just the VoIP traffic through since the Barracuda could be messing with stuff. To do this, we will need this basic setup: ISP - Barracuda X400 and Watchguard XTM525 in parralel - 8 Cisco SG 300s - clients.

Long story short, here are the static routes I have set. Does this look correct or am I messing it up with the 10.0.4.0 route which was put in after the VLAN creation?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

Basically all of the IPs but the 10.0.4.0 and the 172.16.20.0 are the IPs of the 8x8 servers, just to clarify.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[iggsterman]

Before you start replacing firewalls allow me suggest the following, please.
1. Preferred way: All modern soft and hardware phones can be configured to sit behind a NAT device. That should fix w/o even dealing with the Barracuda.
2. Tell Barracuda support to FIX IT. If they say it is correct then it should work, shouldn't it?

 

[whykap]

Are the phones SIP? I would think they are. Is the FW set for SIP inspection?
Most FWs are by default. I would start by turning SIP inspection off and see if you issues go away.

 

[iggsterman]

Turning off SIP inspection may only help if there's no NAT between phones and the server. Otherwise it will break things even worse.

 

[DrB0b]

Yes, SIP phones. We have QoS set up with UDP as highest priority traffic, UDP set to 600s timeout as per 8x8, packet inspection is turned off.

Yea Ive spoken with 3 different techs at Barracuda and none have an answer. The issue is so intermittent that it is hard to troubleshoot. Here is what the 8x8 VoIP say:
"The issues you are experiencing are caused by the Barracuda's standard security feature of randomizing the NAT port for outbound traffic.

This causes our proxy to respond to the NAT port that the session started with, even if the firewall has changed the NAT binding mid-session. This results in SIP signals and RTP data streams being sent to the wrong port, and replies from the endpoint (outbound traffic) being rejected by the proxy due to the session's address mismatch.

This accounts for the destination port unreachable and connection rejections seen in your firewall logs, in addition to the no-way audio calls."

This doesn't seem like it would allow it to be an intermittent issue. That explanation seems to me that all traffic should be messed up, not just some traffic.


Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

Can anyone at least let me know if Im doing my static routes correctly? Ive been trying to route some of this traffic to the other firewall for testing but with what I have above it wont send it to 10.0.2.236, the IP of the Watchguard FW.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[iggsterman]

You will have SIP problems (no aduio or one way audio) with ANY NAT device unless you make certain provisions and IMHO this is a waste of everyone's time. Like I said, enable "SIP over NAT" and things will get better.
Having said all this if you still insist, please clarify the IP addresses of the VLAN interfaces on the SG300 and the same, directly connected the switches, on the firewalls. I do not see 10.0.2.0 as connected.
Also, there are quite a few static routes and no default one. Is that intentional?

 

[DrB0b]

So the 172.16.20.0 and 10.0.4.0 routes were put into play when the VLANs were created. The only traffic on this particular switch is likely on those two networks. So the only VoIP traffic in this case is over the 10.0.4.0 subnet. This subnet is the main subnet for all of our LAN traffic but since they are on softphones it has VoIP as well. On other SG300s I also have a 10.0.2.0 subnet that is strictly for VoIP traffic of our analogue phones and hard phone traffic.

I have talked with three different Barracuda techs and they all assure me that everything on the Barracuda is set up correctly and there are no other VoIP settings I can enable/change. I would love just to modify the Barracuda and be done with this but that does not seem possible. Is it possible there is a setting on the SG300s I am missing for the VoIP traffic? I currently have all of the 10.0.2.0 traffic going out the Watchguard firewall just to test that it isnt a SG300 or Barracuda issue but I need to let it run longer to test.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

Im starting to think that all of our SG300s are not configured properly for VoIP communication. Could you see if this setting is incorrect? I believe it is.

So our 10.0.4.0, or our main LAN network that is also doing our VoIP traffic now, should be the VoiceVLAN, right?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

I think I might be making this needlessly complicated so Im going to break it down to its base in hopes what Im trying to accomplish becomes more clear.

I have Firewall 1 (FW1), Firewall 2 (FW2), SG300 switch, PCs w/ softphones as our network like so, and sorry in advance for the poor mspaint drawing:

So basically all internet traffic needs to go out FW1 while all VoIP traffic out FW2. Would you accomplish this with ACL or static routes? Can you do some type of rule based on the high UDP ports that will be in use?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

So what I believe I found out is that I will need to tag my traffic from within Windows and run a voice vlan dot1p since using the LAN VLAN as the VOICE VLAN will break the traffic. I will experiment with this but if anyone has anything they would like to add, feel free.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.