【NSF】One-way communication in the VoIP
Problem Description
When ALG is enabled, VoIP calls can be successfully initiated. However, no audio is heard, resulting in one-way communication.
Handling Process
By using #show session, it was observed that the related traffic was being routed to the kernel.
Solution
- Navigate to Policies > Network Security > Anti-DoS/DDoS, and enable “This device protection.”
- Ensure that all “Scan Type” and “Attack Type”are deselected. The action should be set to Log events only.
Root Cause
When an internal endpoint initiates a SIP call (such as sending an INVITE request), the AF establishes the corresponding NAT session. However, if the first RTP media packet from the peer arrives at the AF’s WAN interface before the corresponding DNAT session is created, the AF may classify this packet as traffic destined for the device itself.
If the destination port of this traffic is not explicitly opened on the AF, the packet may be treated as “access to an unopened port with no matching policy.” In such cases, even when the local DoS policy is configured to log only without blocking, the AF will still drop the packet by default. This results in the media stream being interrupted and causes a one-way audio issue.
中文版
具体原因可能是:当内网终端主动发起SIP呼叫(如INVITE)时,AF会建立相应的NAT会话。但如果对端的媒体流首包先到达AF的WAN口,且此时AF上未建立对应的DNAT会话,该数据包可能会被AF认为是发往设备自身的流量。如果该流量访问的端口在AF上并未开放,即使本机DoS策略配置为“记录日志、不做拒绝”,AF默认仍会拦截这类“访问未开放端口+匹配不上策略”的数据包,从而导致媒体流中断,出现单向通话。