Issue:

A customer reported that Teams calls would intermittently “Drop” at random points in a call with error “Hold On, looks like something went wrong. We’re trying to get you back on the call.”

 

Architecture:

Users are housed in Teams Online however calls are routed back on premise via an SBC then back out to the internet. A Barracuda F180 firewall separates the internal and external network.

 

Solution:

We identified the on-premise Barracuda F180 firewall had the IPS (Intrusion Prevention System) enabled and proceeded to check the Threat Scan logs, Within the logs we spotted numerous entries for “Unallowed Port Protocol Detected” for the STUN Protocol all appearing to come from the Microsoft Azure Data Centre. Some research later we discovered the STUN protocol is used in several different network implementations, one of which is VoIP. STUN is used to resolve the public IP of a device running behind a NAT, to solve problems such as one-way audio during a phone call or phone registration issues when trying to register to a VoIP or an IP PBX residing on a different network.

We played with disabling the IPS system temporarily and discovered the calls issue went away, with this in mind we attempted to create an override in IPS for this traffic and then re-enable it however discovered that this particular alert is not something you can simply override. A forwarding rule was setup to route internal traffic out to the internet via HTTP/HTTPS, fairly standard practice for client networks however the default HTTP+S service being used had the “Report” action for “Prohibited Protocols” configured within the Service Entry Parameters. To solve this the default HTTP+S service was removed and a custom one added for ports 80/443 with the “Action for prohibited Protocols” set to “No Protocol Detection”. This proceeded to resolve the intermittent issue.

We later discovered the customer had recently updated the firmware version of the firewall which included a fix for port protocols “Port protocol protection now drops all packets for unallowed protocols as expected.” Hence why the issue had only recently started occurring.

Hope this helps.

About the author