Can we disable telephony ALG (Sip-Helper) for VPN connections?

Question

============

Can we disable ALG (SIP-Helper) for all VPN Sessions?

If possible for specific IP ranges or for AAA Groups?

How can we do this because it is causing phone connections to drop for a specific customer using other vendors for VoIP calls passing through the Gateway VPN.

Answer

=============

Unfortunately, It is not possible to bind the SIP Header drop policy on a VPN Gateway nor to a AAA group.

SIP re-write policies will get evaluated only against SIP protocol type binding points, like a LB VIP of type SIP.

As a possible suggestion path to disable SIP in ADC you could ::

====================

First – find a way to route all your SIP type traffic to a SIP LoadBalance Virtual Server

Second – bind the re-write policy to this LBV. This way, SIP re-write policy will get evaluated against SIP protocol traffic.

Like ::

=====================

add rewrite action Drop_SIP_Helper_Act delete_sip_header SIP-Helper

add rewrite policy Drop_SIP_Helper_Pol “SIP.REQ.HEADER(“SIP-Helper”).EXISTS” Drop_SIP_Helper_Act

This is the only way to disable SIP from ADC standpoint.

You could bind the re-write policy Globally as well, but even so, only SIP Protocol binding points (like SIP LB VIPs) will evaluate the policy.

Related:

  • No Related Posts

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability is due to improper processing of transient SIP packets on which NAT is performed on an affected device. An attacker could exploit this vulnerability by using UDP port 5060 to send crafted SIP packets through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-alg

This advisory is part of the September 25, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 13 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12646

Related:

Cisco IP Phone 7800 and 8800 Series Session Initiation Protocol Denial of Service Vulnerability

A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone.

The vulnerability is due to insufficient validation of input Session Initiation Protocol (SIP) packets. An attacker could exploit this vulnerability by altering the SIP replies that are sent to the affected phone during the registration process. A successful exploit could allow the attacker to cause the phone to reboot and not complete the registration process.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ip-phone-sip-dos

Security Impact Rating: Medium

CVE: CVE-2019-1922

Related:

  • No Related Posts

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol (SIP) protocol implementation of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of input SIP traffic. An attacker could exploit this vulnerability by sending a malformed SIP packet to an affected Cisco Unified Communications Manager. A successful exploit could allow the attacker to trigger a new registration process on all connected phones, temporarily disrupting service.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-cucm-dos

Security Impact Rating: High

CVE: CVE-2019-1887

Related:

Cisco IP Phone 7800 Series and 8800 Series Session Initiation Protocol XML Denial of Service Vulnerability

A vulnerability in the call-handling functionality of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause an affected phone to reload unexpectedly, resulting in a temporary denial of service (DoS) condition.

The vulnerability is due to incomplete error handling when XML data within a SIP packet is parsed. An attacker could exploit this vulnerability by sending a SIP packet that contains a malicious XML payload to an affected phone. A successful exploit could allow the attacker to cause the affected phone to reload unexpectedly, resulting in a temporary DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-phone-sip-xml-dos

Security Impact Rating: High

CVE: CVE-2019-1635

Related:

  • No Related Posts

Cisco Small Business SPA514G IP Phones SIP Denial of Service Vulnerability

A vulnerability in the implementation of Session Initiation Protocol (SIP) processing in Cisco Small Business SPA514G IP Phones could allow an unauthenticated, remote attacker to cause an affected device to become unresponsive, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper processing of SIP request messages by an affected device. An attacker could exploit this vulnerability by sending crafted SIP messages to an affected device. A successful exploit could allow the attacker to cause the affected device to become unresponsive, resulting in a DoS condition that persists until the device is restarted manually.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-sip

Security Impact Rating: High

CVE: CVE-2018-0389

Related:

Cisco Meeting Server SIP Processing Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol (SIP) call processing of Cisco Meeting Server (CMS) software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Cisco Meeting Server.

The vulnerability is due to insufficient validation of Session Description Protocol (SDP) messages. An attacker could exploit this vulnerability by sending a crafted SDP message to the CMS call bridge. An exploit could allow the attacker to cause the CMS to reload, causing a DoS condition for all connected clients.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-meeting-sipdos

Security Impact Rating: Medium

CVE: CVE-2019-1676

Related:

  • No Related Posts

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol (SIP) inspection
engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco
Firepower Threat Defense (FTD) Software could allow an unauthenticated,
remote attacker to cause an affected device to reload or trigger high CPU, resulting in a
denial of service (DoS) condition.

The vulnerability is due to
improper handling of SIP traffic. An attacker could exploit
this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected
device.

Software updates that address this vulnerability are not yet available. There are no workarounds that address this vulnerability. Mitigation options that address this vulnerability are available.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

Security Impact Rating: High

CVE: CVE-2018-15454

Related:

Phone transfer failed from Watson Conversation via Voice Gateway

I have integrated with my IVR a Voice Gateway, my own SOE and 3 Watson services: SpeechToText, TextToSpeech and Watson Conversation.

In my conversation, on a specific intent, I would like to transfer my call to an agent via a phone or SIP transfer.

To do that, I have tried to :
{
“output”: {
“text”: {
“values”: [
“OK you will be transferered to an agent. Thank you. Bye”
]
},
“vgwAction”: {
“command”: “vgwActTransfer”,
“parameters”: {
“transferTarget”: “sip:005XXYYZZAA\@10.70.143.75”
}
}
}
}

I have also tried with the following transferTarget : tel:+335XXYYZZAA but the transfer failed.

When I call, I have a message saying that the transfer has failed.
I don’t know what I can do and I am a little bit lost.
Have you some tips?
Thanks 😉

Related:

  • No Related Posts