Skip to main content
Igneus
Igneus
Explorer
August 20, 2025
Solved

Issues with NATed SDP headers through FortiGate 80F (v7.4.8) in VoIP setup with SD-WAN

  • August 20, 2025
  • 3 replies
  • 782 views

Hi community,

I have the following VoIP setup:

Avaya IP Office v2 --- FG-80F --- ISP1 / ISP2 (SD-WAN)


My goal is to configure a simple failover, where the FortiGate automatically switches to the secondary ISP if the primary link goes down.

However, I’m running into the following issues:

 

With SIP helper / SIP ALG enabled:

Once the SIP communication is established (INVITE, ACK, etc.), the SIP ALG forces the voice traffic to go out through the failover link (ISP2), even though it should stay on the primary.

This breaks the voice session.

I’ve tried separate rules and SD-WAN policy routes, but the issue persists.

 

With SIP helper disabled (no ALG):

The SIP/SDP packets are sent out through the correct WAN link.

However, the SDP headers are not NATed and still carry the LAN IP address.

As a result, packets reach the destination but the remote side cannot reply.

 

Has anyone faced a similar scenario?
I solved this problem configuring the wan ip on the avaya but just can set 1 of them so if my isp go down i have to manually set the other one
Is there a way to get the SDP headers properly NATed without enabling SIP ALG, or a best practice for handling VoIP with SD-WAN failover on FortiGate?

Thanks in advance for any guidance!

Best answer by Jean-Philippe_P

Hello again Igneus,

 

I found this solution. Can you tell me if it helps, please?

 

To address the issues you're facing with SIP and SD-WAN failover on FortiGate, you can follow these steps:

 

  1. SIP ALG Configuration: If SIP ALG is causing issues with traffic routing, you might want to disable it. However, this can lead to the problem of SDP headers not being NATed correctly.

  2. SDP NAT without SIP ALG: To ensure that SDP headers are properly NATed without enabling SIP ALG, you can configure a VoIP profile that disables SIP inspection but allows SDP NAT. Unfortunately, FortiGate does not natively support SDP NAT without SIP ALG. You might need to rely on the Avaya configuration to handle this, as you've done.

  3. SD-WAN Configuration:
    - Ensure that your SD-WAN rules are correctly set up to prioritize the primary ISP and only failover to the secondary ISP when the primary is down.
    - Use health checks to monitor the status of the primary link and trigger failover when necessary.

  4. VoIP Profile Configuration: Create a custom VoIP profile with SIP inspection disabled if you want to avoid SIP ALG issues:
    shell
    config voip profile
    edit "VoIP_ALG_Off"
    config sip
    set status disable
    set rtp disable
    end
    next

  5. Manual Configuration on Avaya: Since you mentioned configuring the WAN IP on the Avaya, consider using a dynamic DNS service or a similar solution to handle IP changes automatically if possible.

  6. Consult Fortinet Documentation: Review Fortinet's documentation and community forums for any updates or best practices related to handling VoIP with SD-WAN failover.

 

If these steps do not resolve the issue, you may need to consult with Fortinet support for more specific guidance tailored to your network setup.

3 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
August 24, 2025

Hello Igneus, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
August 25, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_PAnswer
Staff & Editor
August 26, 2025

Hello again Igneus,

 

I found this solution. Can you tell me if it helps, please?

 

To address the issues you're facing with SIP and SD-WAN failover on FortiGate, you can follow these steps:

 

  1. SIP ALG Configuration: If SIP ALG is causing issues with traffic routing, you might want to disable it. However, this can lead to the problem of SDP headers not being NATed correctly.

  2. SDP NAT without SIP ALG: To ensure that SDP headers are properly NATed without enabling SIP ALG, you can configure a VoIP profile that disables SIP inspection but allows SDP NAT. Unfortunately, FortiGate does not natively support SDP NAT without SIP ALG. You might need to rely on the Avaya configuration to handle this, as you've done.

  3. SD-WAN Configuration:
    - Ensure that your SD-WAN rules are correctly set up to prioritize the primary ISP and only failover to the secondary ISP when the primary is down.
    - Use health checks to monitor the status of the primary link and trigger failover when necessary.

  4. VoIP Profile Configuration: Create a custom VoIP profile with SIP inspection disabled if you want to avoid SIP ALG issues:
    shell
    config voip profile
    edit "VoIP_ALG_Off"
    config sip
    set status disable
    set rtp disable
    end
    next

  5. Manual Configuration on Avaya: Since you mentioned configuring the WAN IP on the Avaya, consider using a dynamic DNS service or a similar solution to handle IP changes automatically if possible.

  6. Consult Fortinet Documentation: Review Fortinet's documentation and community forums for any updates or best practices related to handling VoIP with SD-WAN failover.

 

If these steps do not resolve the issue, you may need to consult with Fortinet support for more specific guidance tailored to your network setup.

Jean-Philippe - Fortinet Community Team
    Terms & ConditionsAccessibility statement