- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VoIP Problems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VoIP Problems
Hi
My first post, so go easy on me...;)
We have a client with a Fortigate 50E running firmware 5.6.8 build 1672 (GA). On the LAN side of the network they have just installed an LG Ipecs PBX phone system. This has a fixed IP of 6.0.1.150.
The issue is this;
When a LAN side user makes a call to an external destination, the external destination cannot hear the LAN side caller. The LAN side caller can hear the external user. If an external user calls a LAN side user, everything is fine.
The setup:
I have created multiple Virtual IP's that port forward all the relevant UDP/TCP traffic to the PBX and added them to a Virtual IP Group called LG_Phone_System
I have create the following inbound policy;
Incoming Interface: WAN1
Outgoing Interface: LAN
Source: all
Destination: LG_Phone_System (VIP Group)
Schedule: Always
Action: Accept
NAT: Enabled
There are no security profiles applied to this rule.
I have created the following outbound policy;
Incoming Interface: LAN
Outgoing Interface: WAN1
Source: LG_PBX (this is defined as an address object using 6.0.1.150/32 )
Destination: All
Schedule: Always
Action: Accept
NAT: Enabled
There are no security profiles applied to the rule
I have ran the following commands on the CLI to disable the SIP ALG
Config system settings
Set sip-helper disable
Set sip-nat-trace disable
config system session-helper
show
delete 13 (SIP Entry)
config voip profile
edit default
config sip
set rtp disable
config system settings
set default-voip-alg-mode kernel-helper-based
Have rebooted several times but always have the issue outlined at the top. If I replace the Fortigate with a Draytek 2672 everything works fine.
I would welcome any help. I have put in a support ticket with Fortinet but haven't had any response for four days, so hoping for better luck on here.
kind regards
Phil
kind regards Phil
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got same issue, did You find out solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Phil M and Looki,
I don't have experience with this specific VoIP solution but here are some things you can try... These will take a while but they will eventually help solve your issue so get some coffee. :)
[ol]
With the debug logs you've captured, you should be able to learn more about what's happening on the 'Gate itself.
I know troubleshooting VoIP is a PITA and I'm sorry I don't have the immediate answer to fix this out of the box but hopefully this will put you on the right path.
Good luck!
Sean (Gr@ve_Rose)
Site: https://tcpdump101.com
Twitter: https://twitter.com/Grave_Rose
Reddit: https://reddit.com/r/tcpdump101
Site: https://tcpdump101.com
Twitter: https://twitter.com/Grave_Rose
Reddit: https://reddit.com/r/tcpdump101
Discord: https://discordapp.com/invite/2MZCqn6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would typically disable NAT on the WAN > LAN rule
Also, you may need to disable the VOIP profile whereas you only disabled rtp:
config voip profile edit default config sip
set status disable
Or, it's not always full disabling of SIP ALG that's required. There are occasions where you need to disable most of it, but leave the voip profile and rtp enabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm confused
Why did you disable the SIP ALG ? And how would expect the fortigate to work ?
Did you read the FTNT KB . https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
FWIW, I'm on FWE50E ( 6.0 ) and have the same setup ( but in reverse ) and with sip-alg enable
If you look at the SIP invite and media-port the rtp-stream is broken since the firewall has not open the dynamic pinhole that's is required for SIP.
Also double check if you SIP signaling is or not using std 5060 port.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- access problems towards vpn s2s 10 Views
- FortiClient Automatisierung (PAM) 76 Views
- IPsec tunnel stability issue - two... 180 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 180 Views
- Adding Standalone FortiSwitch to FortiManager Problem 154 Views
Labels
-
FortiGate
6,490 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.