- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SIP over VPN on 5061 and wrong policy used...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIP over VPN on 5061 and wrong policy used...
I create a client VPN for forticlient and Ios.
There are the right policy to reach my lan from VPN an from LAN to VPN.
In my LAN I deployed a PBX with SIP on port 5061.
When I connect from internet to my network with VPNc all service work but no softphone is able to connect to PBX.
In fortiguard, filtering by IP, I can see all the sessions open from VPNc to LAN. All sessions use the correct policy.
The session on port 5061 uses a different policy and it does not have anything to do with it (different Interface, another P2P VPN).
You can see in the attached image the wrong policy. The row is the only row without Source Interface...
Any suggestion?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a proper set of route&policy toward VPNs? One way policy generally work for mobile applications like server/service remote accesses but not for phone services.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You keep on saying you have the right policy, have you ran cli diag debug flow and against one of your phone devices to confirm ?
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are policies, there are the right routes...
I think the problem is in session helper...
id=20085 trace_id=41 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=17, 172.16.100.100:5061->192.168.2.88:5061) from XDN_FC_0. "
id=20085 trace_id=41 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-06726330, original direction"
id=20085 trace_id=41 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.2.88 via wan1"
id=20085 trace_id=41 func=__ip_session_run_tuple line=2956 msg="run helper-sip(dir=original)"
I set up protocol SIP on 5060 port. I don't know if I have to set or I can set another SIP protocol in session helper...
Graziano.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:
Phones are connected to VPN. But I experiment problems only with 5061. With 5060 no problem. Now I activate CHAN_PJSIP in Asterisk on 5060 for softphone in the mobile phone and all works like a charm...
5060 OK
5061 wrong policy...
My pbx goes via VOIP in internet throught 5060.
Session helper is enable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, then it's not just turning on/off helper. As emnoc/Ken suggested, you need to debug much into the detail w/ diag debug flow. At this moment, I suggest you open a ticket with TAC and get help from them. It's more than Forum can help without seeing/touching actual configuration and unit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So do os a favor review the SIP session helper details
config system session-helper
show | grep -i -C 5 sip
Can you provide us that detail? And then do a test and modify it to 5061 and test? Do you know why they are using 5061 and no 5060 for SIP control-channel?
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- Fortigate SSLVPN with DUO MFA -... 28 Views
- Two different websites (domains) on two... 71 Views
- FortiAuthenticator Realms 92 Views
- Import MAC address list into address... 84 Views
- access problems towards vpn s2s 138 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,299 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.