Troubleshooting Questions

1. Media does not work when the RTSP ALG is configured. What do I do?
   • Check RTSP conversations to see whether both TCP and UDP flows exist.
   • The ALG protocol should be displayed as rtsp.

   Note: The state of the flow is displayed as Watch, because the ALG processing is taking place and the client is essentially “watching” or processing payload corresponding to the application. For FTP and RTSP ALG flows, the control connections are always Watch flows.

2. How do I check for ALG errors?
   • You can check for errors by issuing the following command. Each ALG has a separate field for ALG packet errors.
     user@host# show services stateful-firewall statistics extensive

     Interface: sp-3/2/0
       Service set: svc_set
         New flows:
           Accepts: 1347, Discards: 0, Rejects: 0
         Existing flows:
           Accepts: 144187, Discards: 0, Rejects: 0
         Drops:
           IP option: 0, TCP SYN defense: 0
           NAT ports exhausted: 0
         Errors:
           IP: 0, TCP: 276
           UDP: 0, ICMP: 0
           Non-IP packets: 0, ALG: 0
         IP errors:
           IP packet length inconsistencies: 0
           Minimum IP header length check failures: 0
           Reassembled packet exceeds maximum IP length: 0
           Illegal source address: 0
           Illegal destination address: 0
           TTL zero errors: 0, Illegal IP protocol number (0 or 255): 0
           Land attack: 0
           Non-IPv4 packets: 0, Bad checksum: 0
           Illegal IP fragment length: 0
           IP fragment overlap: 0
           IP fragment reassembly timeout: 0
           Unknown: 0
         TCP errors:
           TCP header length inconsistencies: 0
           Source or destination port number is zero: 0
           Illegal sequence number and flags combinations: 0
           SYN attack (multiple SYN messages seen for the same flow): 276
           First packet not a SYN message: 0
           TCP port scan (TCP handshake, RST seen from server for SYN): 0
           Bad SYN cookie response: 0
         UDP errors:
           IP data length less than minimum UDP header length (8 bytes): 0
           Source or destination port number is zero: 0
           UDP port scan (ICMP error seen for UDP flow): 0
         ICMP errors:
           IP data length less than minimum ICMP header length (8 bytes): 0
           ICMP error length inconsistencies: 0
           Duplicate ping sequence number: 0
           Mismatched ping sequence number: 0
         ALG errors:
           BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0
           DNS: 0, Exec: 0, FTP: 0
           H323: 0, ICMP: 0, IIOP: 0
           Login: 0, NetBIOS: 0, NetShow: 0
           Real Audio: 0, RPC: 0, RPC portmap: 0
           RTSP: 0, Shell: 0, SIP: 0
           SNMP: 0, SQLNet: 0, TFTP: 0
           Traceroute: 0