Yep, our juniper just sees this stuff as IPsec. It looks like it in wireshark too. Hard to tell what it is until you see the destination IP is T-Mo or whoever.
On Wed, Oct 25, 2017 at 11:17 Tim Tyler <[email protected]> wrote: > Thomas, > > I can’t point you to a specific document they have, but I can share my > summary ticket with PaloAlto on the matter. Tier one had no idea. It > took Tier two to inform me of the differences in their platforms. > Ultimately, I created an ingress policy for ipsec-esp application-default. > Below is a copy and paste of the summary from PA: > > > > Comment: > Hi TIm > > Here is a brief summary of the session that we had > > Issue > > Calling over wifi failing , the traffic works only when there is an > explicit rule that allows the return traffic > > Troubleshooting > > We saw that the traffic was identified as ipsec-esp > We were on a 5220 platform > The 5200 series of firewalls has architecture that is similar to 7000 > series > As discussed we were made aware of an issue with the ipsec traffic > handling on the 7000 series firewall, after internal investigation it was > noted that this was expected behavior on the platform as the offload > processor needs to do initial flow lookup, with IP addresses and SPI in the > packet as the key. > The offload processor cannot distinguish PANOS terminated ESP/AH sessions > vs. pass through. So PANOS has to create sessions with specific SPI values > unlike other platforms adn hence the requirement for a policy to allow the > return traffic > > Let me know if you have any further questions or concerns on this > > > > ----------------------------------------------------- > > > Tim > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *McClintic, Thomas > *Sent:* Wednesday, October 25, 2017 10:11 AM > > > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi > Calling and texting > > > > Tim, > > > > Do you have anything with a link to this information from Palo Alto’s > perspective? Ie. which protocols and such. > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:[email protected] > <[email protected]>] *On Behalf Of *Tim Tyler > *Sent:* Tuesday, October 24, 2017 11:08 AM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi > Calling and texting > > > > Vikki, > > What are you using for a firewall? We had to open up a couple ingress > protocols after we upgraded our PA firewall. These protocols need to talk > to servers on the Internet. PA’s latest models will block the handshaking > unless ingress is open. We found this to be predominately true for Apple > phones, but seldom for Androids. It also depending on the service. We > have no complaints now. > > > > Tim > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Vikki Cutrone > *Sent:* Tuesday, October 24, 2017 10:40 AM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Question regarding the support of WiFi > Calling and texting > > > > We are running Eduroam as our SSID, my Android phone can use eduroam to > make WiFi calls or Texts, some users on campus, primary Apple devices > cannot. I was wondering if campuses are maintaining a best effort > posture/policy regarding BYOD's ? > > > > Thanks > > > > On Tue, Oct 24, 2017 at 11:33 AM, Yahya M. Jaber <[email protected]> > wrote: > > Can you give us an example on the issues reported?, so I can understand > your issue more. > > > > > > Yahya Jaber. > CCIE Wireless. > 055-869-7555 > ITNC Engineering. > KAUST. > > > > Sent from an Android > > > > On Oct 24, 2017 17:25, Vikki Cutrone <[email protected]> wrote: > > I am the Network Administrator at Vassar College and I was wondering what > position institutions were taking regarding support and troubleshooting of > clients trying to use the wireless for wifi calling and wifi texting? I am > getting a large amount of requests for this service but with the multitude > of cell phones, operating systems and cell providers it is impossible to > keep up. Any input about your institution's policy or thoughts on a > potential policy would be greatly appreciated. > > > > Thank you in advance! > > > > -- > > Vikki Cutrone > > Network Administrator > > Vassar College, Box 13 > > 124 Raymond Ave > <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI&e=> > > Poughkeepsie, NY 12604 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=DgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI&e=> > -0013 > > > > 845-437-7231 > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. > > > > > > ------------------------------ > > This message and its contents including attachments are intended solely > for the original recipient. If you are not the intended recipient or have > received this message in error, please notify me immediately and delete > this message from your computer system. Any unauthorized use or > distribution is prohibited. Please consider the environment before printing > this email. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. > > > > > > > -- > > Vikki Cutrone > > Network Administrator > > Vassar College, Box 13 > > 124 Raymond Ave > <https://maps.google.com/?q=124+Raymond+Ave+Poughkeepsie,+NY+12604+%3Chttps://urldefense.proofpoint.com/v2/url?u%3Dhttps-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3DV-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk%26s%3DDgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI%26e%3D%3E&entry=gmail&source=g> > > Poughkeepsie, NY 12604 > <https://maps.google.com/?q=124+Raymond+Ave+Poughkeepsie,+NY+12604+%3Chttps://urldefense.proofpoint.com/v2/url?u%3Dhttps-3A__maps.google.com_-3Fq-3D124-2BRaymond-2BAve-250D-2BPoughkeepsie-2C-2BNY-2B12604-26entry-3Dgmail-26source-3Dg%26d%3DDwMFaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3DV-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk%26s%3DDgYQwyycgrZ77ZFlzelZE00z6cRj5AThKQQp6jyQ0JI%26e%3D%3E&entry=gmail&source=g> > -0013 > > > > 845-437-7231 > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFaQ&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4&m=V-B23RpM6-AN3SouKSAIckW0yrCFMe91rn8n1_wMwSk&s=_bdSDCV5pjPNEdyRnfFFT5QTsxObKPLQ9M3MveBVoGE&e=>. > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
