alg

Shoretel Call problems with Juniper SRX 220

Posted on Updated on

Symptoms:

  • Calls to a workgroups on a different Shoretel site drops after few seconds or times out
  • Calls to an ACD queue times out
  • Call transfers don’t work
  • Phones behind Juniper SRX 220 had same issue as above when registered to a Shoregear on a different site.
  • Regular extension to extension calls work just fine

Setup:

  • Phone and Shoregear switch is behind a Juniper SRX 220
  • Shoregear is on a different VLAN as the phones

Findings:

  • We have worked intensively with Juniper support and what they figured out is that ALG MGCP is not correctly allowed within the Juniper SRX 220.  SRX isn’t handling the second MDCX connection for complex calls as expected. If the Shoregear is on the same VLAN as the phone, then the problem goes away.  However, there are instances where you need the Shogear to be on a separate VLAN especially when you have a multistory building and you only have 1 shoregear at the whole site.  Or if there is a Shoregear failure and you have to register the phones to a different site.

Workaround:

  • As of the time of this post, Juniper is still working on a fix.  But the workaround is to disable MGCP and allow MGCP related applications on the firewall.

#Disable MGCP

Set security alg mgcp disable

#Clear MGCP Sessions

clear security flow session application mgcp-ua

clear security flow session application mgcp-ca

#Allow MGCP traffic

[edit security policies from-zone trust to-zone untrust policy TR-UNTR-MGCP]

set match source-address NET-LOCAL

set match destination-address any

set match application junos-MGCP

set match application junos-MGCP-CA

set match application junos-MGCP-UA

set then permit

[edit security policies from-zone untrust to-zone trust policy UNTR-TR-MGCP]

set match source-address any

set match destination-address NET-LOCAL

set match application junos-MGCP

set match application junos-MGCP-CA

set match application junos-MGCP-UA

set then permit