Skip to main content
rfs3pa
rfs3pa
New Member
January 3, 2025
Question

SIP ALG on Dual-WAN

  • January 3, 2025
  • 3 replies
  • 1601 views

I'm on a FortiGate 61F running 7.4.3.  I have a VoIP PBX behind it using SIP Trunks.  When this was all set up originally I only had a single WAN connection (connected to WAN 2), and I did have to disable the SIP ALG helper in order to resolve dropped call issues.  I used this command and found the entry dealing with SIP and port 5060:

config system session-helper
show

I deleted it and all was well.  

Now I have added a backup ISP which is connected to WAN 1.  When on the backup I have calls dropping and I narrowed it down to SIP ALG by using a SIP ALG detector exe.  

When I run the detector on a laptop behind the forti on primary WAN it does not detect SIP ALG.

When I run the detector on a laptop behind the forti on backup WAN it does not detect SIP ALG on TCP.

When I run the detector on a laptop connected directly to the backup WAN modem it does not detect SIP ALG.

I thought deleting that session-helper entry was global, not just for one of the WAN ports.  And my policies are configured to use the zone that both WANs are in so I don't think that is the issue.  The screenshot below is the only policy that deals with my IP PBX.  This is in place to prevent inspection of traffic from the PBX.

 

Any advice where to look would be much appreciated.  Thanks!

 
 

SIP.png

3 replies

Dhruvin_patel
Staff
Dhruvin_patel
Staff
January 4, 2025

Greetings!

 

I understand the SIP session helper is disabled as you have deleted the  config associated to the session helper

"config system session-helper
show"

 

However, have you verified SIP ALG settings? 

 

If the SIP ALG is disabled, then the setting will look as follows.

 

config system settings     set default-voip-alg-mode kernel-helper-based end

 ref: https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/147933/sip-alg-and-sip-session-helper

 

Please check the SIP ALG settings.

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

    rfs3pa
    rfs3paAuthor
    New Member
    January 6, 2025

    I ran the show command there and verified that it looks like you said it should.

     

    HomeOffice (settings) # show
    config system settings
    set default-voip-alg-mode kernel-helper-based
    end

      rfs3pa
      rfs3paAuthor
      New Member
      January 6, 2025

      Interesting Update - This is happening on a 61F running 7.4.3.  I ported the conifg from it over to a 61E running 7.4.6 and I am not having the SIP ALG issues on that one.  I will upgrade the 61F tonight once the business is closed and see what happens. 

       

      Any ideas on why this would be?

      Terms & ConditionsAccessibility statement