- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate 60D Site-to-Site VPN loses VoIP packets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate 60D Site-to-Site VPN loses VoIP packets
Hi all,
I'm very new to this forum so I want to say hello to everyone first and I'd be very happy if I can get some help here :)
We have 4 Sites, all connected to each other (mesh) via Site-to-Site IPsec VPN Tunnels. Everything works without problems except one thing:
Let's say site B is using VoIP phone system over site A. In site A all phones are working without interruptions, but site B faces the issue of phones go offline and then reconnecting themselves. I monitored with the sniffing option and found that VoIP packets some-when just aren't transmitted for at least 40s. Usually it's running fine, they can do phone calls etc. but then irregularly packets aren't sent anymore.
I've monitored the connection between the phone system (192.168.8.30) and one desk phone (192.168.12.50). In the attached picture you can see the packets which are transferred (left side is site A, right side is site B).
For any help to find out more about this problem I'd be very happy as this is very annoying :(
If you need more information, just let me know! The tunnels are set up to allow traffic between sites without any logging / filters or anything like this. The only thing is a traffic shaper which gives priority to the VoIP.
Thanks and best regards
Wuschy
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any bandwidth saturation points in-between? In other words, when you keep pinging one subnet to the other, do you lose any responses when VoIP packets stop flowing?
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any bandwidth saturation points in-between? In other words, when you keep pinging one subnet to the other, do you lose any responses when VoIP packets stop flowing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, no ping packets are lost (sorry, I could have written this, as it was the first thing I tested :))
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the mean time I made another test:
Pinging while sniffing to see the issue live! (see attachment) The green side is Site A, blue side Site B. Time on Site B is delayed by about 1s, but you can see that we have Ping Packets delivered from Site A to Site B (which are received) and undelivered SIP packets on Site A!
Many thanks for any help :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then SIP session helper or ALG might be acting up. Have you put the measure in place to disable it?
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I high doubt it's a session helper since you say it works but you have intermit problems.
If you have PLOS ( packet loss ) that needs to be corrected 1st. Plos is going to be ready found with SLA check , ping ( as what you did none ) and will show up in lost SPI sequnces between von-peers.
Going back to what was asked earlier, do you have any link saturation issues at the time of the interruptions? Do you have any QoS priority queuing set to allow EF for real-time traffic?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Many thanks for feedback. As far as I know, I already implemented this. How-ever, I'm not 100% sure about the second step. And it looks like I can't "get" the default-voip-alg-mode, so I just did it again. Will reboot the FWs today evening and let you know latest by end of this week if it helped!
Best regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Emnoc,
Many thanks for your feedback too! I feel like a greenhorn as I need a little more help on this!
What exactly do you mean by "SLA check" and how can I find lost SPI sequences?
Last thing I did was according to this instruction:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33101
But no invalid ESP packets were found!
Can you describe what you mean by link saturation issues?
Where can I check the QoS Queuing? The traffic shaper monitor shows "No data" which surprises me a bit!
Best regards & many thanks for your help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly do you mean by "SLA check" and how can I find lost SPI sequences? Last thing I did was according to this instruction: http://kb.fortinet.com/kb/documentLink.do?externalID=FD33101 But no invalid ESP packets were found!
You can build a link-monitor on the fortigate or if you have any modern cisco or similar switches you can craft a IP-SLA and with traffic flow matching the VoIP packets ( i.e TOS packetsize,etc....). Cisco IP-SLA would be the best approach for finding or alerting on poor voice bearer path
reference my blog post
http://socpuppet.blogspot.com/2014/11/using-cisco-ip-sla-for-udp-jitter-and.html
for traffic bw usage;
http://socpuppet.blogspot.com/2014/09/howto-find-out-how-many-bps-policy-is.html
For dropped ESP packets it best to conduct spot-checks with packet captures, than play them back via wireshark/tshark with the esp display filter ( esp.sequence ). You will have to do some work to find out if you have dropped but a few clues are;
refernce
http://socpuppet.blogspot.com/2015/02/esp-replay-window-enabling-disable.html
1: when the SEQ# is skipped or missed that's a dropped ( check bi-directional )
2: when the SEQ# is out-of-order that's not a dropped just packets out-of-order probably due to multi-path routes or other layer3 issues
Can you describe what you mean by link saturation issues? Where can I check the QoS Queuing? The traffic shaper monitor shows "No data" which surprises me a bit!
During the time of poor or dropped voice calls, hows your internet uplinks on bandwidth? Do you apply any priority for voice traffic flows for the call-path.
You will have todo some investigative work but if you can conduct a pcap capture on both ends, you can easily find out if drops are occurring and in what direction. Drops are going to be a big headache and reduce MoS scores.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem here, two sites connected with 60D IPsec VPN. The VPN tunnel stays up and running. But, the VPN tunnel stops passing traffic, about 3 ping drops, sometimes, which is a headache for real-time voice traffic (no sound or even IP Phone reboots). In the mean time, both sites' WAN and LAN interfaces are good and diag debug app ike -1 shows nothing wrong.
Related Posts
- Fortigate SIP translation malefunction 80 Views
- Packet duplication not done in session... 126 Views
- Trying to understand the packet flow... 313 Views
- Configuring security profiles Fortigate 472 Views
- VPN intermittent traffic lost, found reverse... 841 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.