Skip to main content
gmanea
Staff
gmanea
Staff
January 22, 2016

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

  • January 22, 2016
  • 0 replies
  • 86953 views

Description

 
This article describes how to confirm if SIP traffic is being handled by SIP ALG or by SIP session-helper.
 
Scope
 
FortiGate.


Solution


By default, FortiGate uses SIP ALG to process SIP traffic. Verify it by checking the configuration and counters:

 

FortiGate # show full system setting | grep default-voip-alg-mode
set default-voip-alg-mode proxy-based

Proxy-based         <----- Default SIP ALG mode.
Kernel-helper-based <----– SIP session helper.

 

To verify counters based on the mode:

 

  1. If SIP Sessions Helper is handling the SIP traffic, the command below will display counters:

    FortiGate # diagnose sys sip status
    dialogs: max=131072, used=0
    mappings: used=0
    dialog hash by ID: size=8192, used=0, depth=0
    dialog hash by RTP: size=8192, used=0, depth=0
    mapping hash: size=8192, used=0, depth=0
    count0: 0
    count1: 2
    count2: 10
    count3: 0
    count4: 0

  2. If SIP ALG is handling the SIP traffic, the command below will display counters:

FortiGate # diagnose sys sip-proxy stat

sip stats

vdom name: root
---------------------------
     active-sessions: 1
     calls-attempted: 57
     calls-established: 27
     calls-failed: 30

     calls-active: 0
     registers-active: 1
              |     received  |     blocked   |  unknown form |  long headers
     req-type |    req    resp|    req    resp|    req    resp|    req    resp
     UNKNOWN         0   47227       0   47227       0   47227       0       0
     ACK            86       0       0       0       0       0       0       0
     BYE            27      27       0       0       0       0       0       0
     CANCEL         14      14       0       0       0       0       0       0
     INFO            0       0       0       0       0       0       0       0
     INVITE        107     223       0       0       0       0       0       0
     MESSAGE         0       0       0       0       0       0       0       0
     NOTIFY       5789    5788       0       0       0       0       0       0
     OPTIONS         0       0       0       0       0       0       0       0
     PRACK           0       0       0       0       0       0       0       0
     PUBLISH     10371     802       0       1       0       0       0       0
     REFER           2       2       0       0       0       0       0       0
     REGISTER   100678   81543      25       0      25       0       0       0
     SUBSCRIBE   19857   13333       0       2       0       0       0       0
     UPDATE          0       0       0       0       0       0       0       0
     PING            0       0       0       0       0       0       0       0

 

To verify based on the session created by the SIP port :

 

First filter and display the session:

 

diagnose sys session filter dport 5060

diagnose sys session filter dst x.x.x.x (public IP of the SIP provider)

diagnose sys session list

 

Then look for the flags:

 

  1. If the session has an 'ndr' flag -> flow SIP (ips) handles the traffic.
  2. If the session has 'redir' and 'local' flags -> SIP ALG handles the traffic (as long as the DST port of the session matches the SIP port under system.settings in FortiGate).
  3. If the session only has "helper=sip" -> SIP kernel helper (session-helper) handles the traffic.
  4. If the session has 'helper=20' or 'helper=24' -> SIP ALG handles the traffic.
  5. If session has both i.e. 'redir' and 'local' flags, and 'helper=sip' -> SIP kernel helper does nothing when it finds the session has 'redir' and 'local' flag.

 

Related documents:

    Terms & ConditionsCookie settingsAccessibility statement