Support Center > Search Results > SecureKnowledge Details
SIP packets are dropped by IPS with "Malformed SIP datagram - Invalid or no 'CSEQ' field" log in SmartView Tracker
Symptoms
  • SmartView Tracker logs show that SIP packets are dropped by IPS:

    Product: IPS
    Protocol: udp
    Attack: Malformed SIP datagram
    Attack Information: Invalid or no 'CSEQ' field
    


  • Kernel debug ('fw ctl debug -m fw + conn align') shows:

    ;fwconn_lookup_other_ex: conn <dir 0, IP_Address_of_SIP_Server:5060 -> IP_Address_of_SIP_Client:Some_Port IPP 17>
    ;sip_get_packet_type: returned unknown;;
    ;fwk_get_val_ex_do: dlen = 0, header_end_index = 0;
    ;fwk_get_val_ex_do: couldn't find \r\nCSeq;
    ;sip_check_req_mandatory_fields: no Cseq;
    ;sip_send_log_bad_conn_ex : Sending log with info Invalid or no 'CSEQ' field;
    ;fwconn_lookup_other_ex: conn <dir 0, IP_Address_of_SIP_Server:5060 -> IP_Address_of_SIP_Client:Some_Port IPP 17>
    ;sip_get_call_id_and_user_from_packet: sip_check_req_mandatory_fields returned drop;
    ;sip_earlynat_get_source_port: failed: no call_id/user;
    ;fw_log_drop: Packet proto=17 IP_Address_of_SIP_Client:Some_Port -> IP_Address_of_SIP_Server:5060 dropped by fw_early_sip_nat Reason: failed to get SIP port;
    
Cause

Possible reasons:

  1. Security Gateway drops SIP packets with the payload that contains only "\r\n" or "\r\n\r\n" (such packets are SIP keep-alive packets that do not contain the "Cseq" (Command Sequence) field). 
  2. Security Gateway drops SIP packets that do not comply to RFC.

Notes:

  • IPS blade does not have to be enabled to experience these symptoms. Some IPS related code is active even if the IPS blade is disabled.
  • Setting the 'Protocol Type' in the SIP service properties to 'None' may not resolve this issue.

Solution
Note: To view this solution you need to Sign In .