1. Brekeke Product Name and Version:BSS3.8.6.4 Adv Ver
2. Java version:1.8
3. OS type and the version: RHEL7
4. UA (phone), gateway or other hardware/software involved: NA
5. Your problem: What is the port range used by BSS as source port when leg-B transport is TCP?
We only need to punch a hole in the firewall for port 5060 for incoming packets from customer's IP address when the transport is UDP.
But when the transport is TCP i guess we need to punch the hole in firewall for the range of ports used by BSS as source ports. Is this correct understanding?
If yes, What is the port range used by BSS as source port when leg-B transport is TCP?
BSS Source Port Range for Transport as TCP
Moderator: Brekeke Support Team
> What is the port range used by BSS as source port when leg-B transport is TCP?
It will be available port.
> But when the transport is TCP i guess we need to punch the hole in firewall for the range of ports used by BSS as source ports. Is this correct understanding?
No. You just need to open the TCP listening port, 5060, in the firewall.
As same as other protocols over TCP like a HTTP, you don't have to list local source ports for outgoing connection in the firewall.
It will be available port.
> But when the transport is TCP i guess we need to punch the hole in firewall for the range of ports used by BSS as source ports. Is this correct understanding?
No. You just need to open the TCP listening port, 5060, in the firewall.
As same as other protocols over TCP like a HTTP, you don't have to list local source ports for outgoing connection in the firewall.
#### SET UP DETAILS ####
BSS IP : bbb.bbb.bbb.bbb
BSS listen-port is :5060
Customer: IP: ccc.ccc.ccc.ccc
Customer Listen Port: 5060
Transport : TCP
######Cisco Router Firewall Access List#####
access-list 100 permit tcp host ccc.ccc.ccc.ccc host bbb.bbb.bbb eq 5060
#####Call Setup ########
A-leg comes to BSS and BSS initiates B-leg and it establishes TCP connection on customers ip.
In the production environment firewall does not even let the TCP hand-shake to complete if 12345 is no open.
BSS IP : bbb.bbb.bbb.bbb
BSS listen-port is :5060
Customer: IP: ccc.ccc.ccc.ccc
Customer Listen Port: 5060
Transport : TCP
######Cisco Router Firewall Access List#####
access-list 100 permit tcp host ccc.ccc.ccc.ccc host bbb.bbb.bbb eq 5060
#####Call Setup ########
A-leg comes to BSS and BSS initiates B-leg and it establishes TCP connection on customers ip.
- 1. BSS sends the invite using tcp with source port 12345 and destination port is 5060.
2. Customer response to the invite on tcp port 12345.
In the production environment firewall does not even let the TCP hand-shake to complete if 12345 is no open.
What kind of SIP client is the customer using?
Does your Cisco Router Firewall close an outgoing TCP connection just after local entity sends a message over TCP? (If so, you can not access to a web from behind the router.)
According to the RFC3261
Does your Cisco Router Firewall close an outgoing TCP connection just after local entity sends a message over TCP? (If so, you can not access to a web from behind the router.)
According to the RFC3261
So your customer's SIP client must send a SIP response back over the same transport connection which the INVITE was received.If the "sent-protocol" is a reliable transport protocol such as
TCP or SCTP, or TLS over those, the response MUST be sent using
the existing connection to the source of the original request
that created the transaction, if that connection is still open.