Skip to main content
JcvnStdn
JcvnStdn
Visitor III
November 26, 2021
Solved

3CX VoIP issues - Resolved...

  • November 26, 2021
  • 1 reply
  • 23156 views

{Forti OS 7.0.2}

One Way Audio, Scratchy Voice and missing voice issues.

Recently provisioned a new 3CX server and installed a new 60F Fortinet onsite for a customer. I setup all the usual forwarding rules and it PASSED the 3CX Firewall checker. At this point the customer was experiencing quite a lot of one-way audio and scratchy voice calls. Almost every forum says only disable SIP ALG but it didn’t help, after a week of digging and consulting with other SME’s I found a solution that worked. I applied it to 3 sites, and all are now operational.

 

Creating a VIP -

Go to Policy & Objects > Virtual IPs > Create New

Fill out the information accordingly for each port required (note you can specify interface)

JcvnStdn_0-1637886502240.png

 

Once you’re done add all the created VIP’s to a Group -

JcvnStdn_1-1637886502245.png

 

Create a Service

Go to Policy & Objects > Services and create a new Service and Specify your 3CX Server

JcvnStdn_2-1637886502249.png

Create a VoIP priority shaper

Go to Policy & Objects > Traffic Shapers and create new.
Set Type to Shared.
Set Apply shaper to Per Policy.
Set Traffic Priority to High.
Enable Max Bandwidth and specify your max bandwidth

JcvnStdn_3-1637886502251.png


Enable DSCP with 101110 specified
{DSCP enables a scalable service difference in the IP network without the need for per-flow state and signaling at every hop. Networks can then utilize DSCP shape and tag the traffic to action priority-based queuing. DSCP is a number in the range from decimal value 0 to 63 that is placed into an IP packet to mark it according to the class of traffic it belongs in. The following table defines the relationship between service classes and DSCP markings.}

JcvnStdn_4-1637886502254.png

 

Then go to Policy & Objects > Traffic Shaping Policy and Create New and apply your Service and Shaper.

JcvnStdn_5-1637886502256.png


JcvnStdn_6-1637886502258.png

 

(packet capture shows it is applied)
Go to Dashboard > Users and Devices > click on devices and Create firewall device for each phone

JcvnStdn_7-1637886502260.png

 

Go to Policy & Objects > Firewall Policy Create new, specify your Interfaces & Source, enable NAT and set Preserve Source Port

JcvnStdn_8-1637886502263.png

 

Now create your VIP policy, specify your interfaces and your VIP group & disable NAT.

JcvnStdn_9-1637886502266.png

 

Disable SIP ALG

Edit your Config so Session helper by removing 13, 19 and 20
config system session-helper
delete 13 (find SIP or MCGP)
delete 19 (find SIP or MCGP)
delete 20 (find SIP or MCGP)
end

Then Config System Settings

config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
set sip-nat-trace disable
end
exit

Clear all sessions or Reboot the device

Ideally you need one to one NAT (IP Pool) but if you have only one Public IP it causes a few other issues. So, leave the configs as is and you should be good.

Now after doing the following, I reduced / removed all scratching and no sound issues on the 3CX on-prem system. I have been running and listening to recordings and no issues.

 

I don't know if this is an issue for anyone else. Just thought I'd share.


References
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/Inside.htm
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/459043/configuring-differentiated-services
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-traffic-shaping-54/TS_Configuration/TS_ToS_DSCP.htm
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-VIP-range-for-SNAT-and-static-1-to-1-mapping/ta-p/191894?cmd=displayKC&docType=kc&externalId=FD31893

 

 

 

 

    Best answer by AlexC-FTNT

    I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
    It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).

    1 reply

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    December 12, 2021

    NOTE: This topic shows SIP traffic prioritiziation trough DSCP and traffic shaper! It should apply for voice quality issues only (not for missing voice, incomplete calls, or one-way audio)

    This gives a nice example of implemeting shapers and DSCP, but is NOT a setup guide or official KB for configuring SIP traffic over FortiGate! 
    Disabling SIP-ALG and/or deleting SIP session-helper is NOT the first thing to do, and surely not the only thing to take from this article, when voice quality is degraded.

      JcvnStdn
      JcvnStdnAuthor
      Visitor III
      December 12, 2021

      I understand the principal, but explain why the issues disappeared after the the changes were made? We have about 35 3CX servers with various clients.

       

      We are using Mikrotiks and phasing out and replacing with Fortinets. Issues only started occurring once the Fortinets were installed. And after the changes were made it stopped occurring? 

       

      I'm not saying this is gold or perfect but it works at 13 of the sites where this was rolled out. 

      AlexC-FTNT
      Staff
      AlexC-FTNTAnswer
      Staff
      December 13, 2021

      I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
      It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).

      Terms & ConditionsAccessibility statement