Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zanga_ouattara
New Contributor

SIP phone can't fallback to cucm due to fortigate

Hi Experts,

 

Can you please Helps me solve this Issue.

 

I have a fallback issue with my sip due to fotigate firewall. 

cisco sip phones goes in srst mode when wan connection is down. I have to manually reboot the phone to  get it register back to CUCM.

The when removing the fortigate ( isolating) from the architecture, phone in srst mode fallback to CUCM automatically.

 

when capturing trafic on incoming ports and outgoing port i can see that the sip trafic send by the phone  (received on the incomming port ) is not arriving on the outgoing port.

I have allowed "all" as service between both interfaces but sip still can get register back automatically.

 

Is there any thinght else that can bloc the sip traffic ?

 

Thanks in advance for your help

 

regards

Zanga

7 REPLIES 7
prav316
New Contributor

Good day,

 

Were you ever able to get this working? My campus is having the same issue as described.

zanga_ouattara

Hello,

 

Yes I resolved Mine.

can you please Run the debbug flow and share the output ?

https://kb.fortinet.com/kb/documentLink.do?externalID=FD33882

Regards,

 

Zanga 

 

Certified

CCNP|PCNSE|NSE4

 

prav316

I'll do so ASAP, but in the meantime is there something specific you had to fix?

prav316

Here are the debugs:

10.117.48.100 - IP Phone

10.253.48.11 - Call manager

 

 

TTPOSOCFW02 # id=20085 trace_id=89 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.117.48.100:51801->10.253.48.11:5060) from ADVPN_1. flag [.], seq 1239652383, ack 504930088, win 1825" id=20085 trace_id=89 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-000138af, original direction" id=20085 trace_id=89 func=av_receive line=301 msg="send to application layer" id=20085 trace_id=90 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.253.48.11:5060->10.117.48.100:51801) from local. flag [.], seq 504930088, ack 1239653238, win 6" id=20085 trace_id=90 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-000138af, reply direction" id=20085 trace_id=90 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-ADVPN_1" id=20085 trace_id=90 func=esp_output4 line=897 msg="IPsec encrypt/auth" id=20085 trace_id=90 func=ipsec_output_finish line=532 msg="send to 192.65.161.1 via intf-port1"

Fraggle

Hi,

I had the same issue and solve it by disabling sip-proxy, but I'm interesting to get it work with proxy.

I saw dropped packets counter with "diagnose sys sip-proxy stats list" at the line named REGISTER.

To disable do:    system settings -> set default-voip-alg-mode kernel-helper-based

 

Best regards, 

      Peter

FCNSP, CISSP

FCNSP, CISSP
rcasinillo

when I  set default-voip-alg-mode kernel-helper-based SCCP phones are working but SIP phones are still not registering.

rcasinillo

Hi. I setup the same, in the beginning it's working fine until I shut the tunnel for testing, when I turn it up, my SIP IP Phone couldn't register anymore. How you resolve it. Thanks.

Labels
Top Kudoed Authors