Wireless Access

The netservices for SIP and H.323 do not use their corresponding ALGs by default on the controller even though stateful firewall processing is enabled for both. Why is this? Is there any harm in enabling these ALGs? Would a maintenance window be required?

 

We are on 6.4.4.11.

I believe they are enabled by default. You just need to add the netservice to your user ACL and you should be good.

Check out the highlighted items below. This is the default on the controller and has been since at least as long as I knew what an ALG actually is. The H.323 and TCP/UDP SIP netservices do not use their ALG out of the box, unlike other voice protocols like such as SCCP, SIPS, and Vocera:

 

netservice svc-ipp-tcp tcp 631

netservice svc-dhcp udp 67 68 alg dhcp

netservice svc-citrix tcp 2598

netservice svc-pcoip-udp udp 50002

netservice svc-netbios-ssn tcp 139

netservice svc-tftp udp 69 alg tftp

netservice svc-papi udp 8211

netservice svc-ica tcp 1494

netservice svc-natt udp 4500

netservice svc-lpd tcp 515

netservice svc-microsoft-ds tcp 445

netservice svc-syslog udp 514

netservice svc-msrpc-tcp tcp 135 139

netservice svc-msrpc-udp udp 135 139

netservice svc-smtp tcp 25

netservice svc-http-proxy2 tcp 8080

netservice svc-cfgm-tcp tcp 8211

netservice vnc tcp 5900 5905

netservice svc-web tcp list "80 443"

netservice svc-h323-udp udp 1718 1719

netservice svc-sccp tcp 2000 alg sccp

netservice svc-http tcp 80

netservice svc-bootp udp 67 69

netservice svc-telnet tcp 23

netservice svc-vmware-rdp tcp 3389

netservice svc-ipp-udp udp 631

netservice svc-noe-oxo udp 5000 alg noe

netservice svc-vocera udp 5002 alg vocera

netservice svc-esp 50

netservice svc-http-proxy1 tcp 3128

netservice svc-sec-papi udp 8209

netservice svc-l2tp udp 1701

netservice svc-rtsp tcp 554 alg rtsp

netservice svc-gre 47

netservice svc-sip-tcp tcp 5060

netservice svc-pptp tcp 1723                      

netservice svc-snmp udp 161

netservice svc-svp 119 alg svp

netservice svc-icmp 1

netservice svc-smb-tcp tcp 445

netservice svc-pcoip2-tcp tcp 4172

netservice svc-v6-icmp 58

netservice svc-ssh tcp 22

netservice svc-h323-tcp tcp 1720

netservice svc-ntp udp 123

netservice svc-pop3 tcp 110

netservice svc-netbios-ns udp 137

netservice svc-adp udp 8200

netservice svc-v6-dhcp udp 546 547

netservice svc-dns udp 53 alg dns

netservice svc-netbios-dgm udp 138

netservice svc-http-proxy3 tcp 8888

netservice svc-sip-udp udp 5060

netservice svc-kerberos udp 88

netservice svc-sips tcp 5061 alg sips

netservice svc-pcoip2-udp udp 4172

netservice svc-pcoip-tcp tcp 50002

netservice svc-noe udp 32512 alg noe

netservice svc-nterm tcp 1026 1028

netservice svc-ike udp 500

netservice svc-snmp-trap udp 162

netservice svc-https tcp 443

netservice svc-smb-udp udp 445

netservice svc-ftp tcp 21 alg ftp

 

Are you saying that when you apply the netservice to a user role, the ALG is not applied? I am trying to understand what is not happening "out the box".

The SIP and H.323 netservices are applied to the voice role by default; it's not about applying it to a role at all.

 

Compare these default configuration netservices...

 

netservice svc-sip-tcp tcp 5060

netservice svc-sip-udp udp 5060

netservice svc-h323-udp udp 1718 1719

netservice svc-h323-tcp tcp 1720

 

...to other default configuration netservices...

 

netservice svc-sips tcp 5061 alg sips

netservice svc-sccp tcp 2000 alg sccp

netservice svc-vocera udp 5002 alg vocera

netservice svc-noe-oxo udp 5000 alg noe

netservice svc-noe udp 32512 alg noe

 

See how the other voice netservices have their ALG turned on, but SIP and H.323 don't? This is default configuration.

 

So back to my original question, would it be service impacting to turn on these ALGs on their respective netservices?

 

And furthermore, why aren't they turned on by default out of the box?

Any thoughts on this cjoseph?

I don't now the answer to that general question.  It would be easier for me to find out what you are trying to do and help you with that specifically.

Given: The SIP/H.323 ALG are turned off

 

Question: What would the service impact be to turning them on?

 

Given: Other voice ALGs are on by default

 

Question: Why are the SIP/H.323 ALG off by default?

Let me ask the first question a different way.

 

We use both SIP and H.323 in our environment. Intuitively, it seems like we would benefit from having these ALGs turned on for the automatic prioritization. So, if we turned them on, is there risk? Or is overall performance going to be reduced?

 

As for my second question, I am simply trying to find out why they aren't on by default. It seems that by being off by default, Aruba is implicitly saying that turning these ALGs on could cause an issue.

Good question.  Let's see if we can find someone knows the answer...

It would seem that there are many interpretations of "H323".  Every vendor had a different implementation.  We only correctly interpreted and supported Avaya's version, unfortunately.  That is probably why it is turned off by default.