SIP over VPN on 5061 and wrong policy used...

Forum|Forum|8 years ago
May 7, 2018
1 reply
8157 views

I create a client VPN for forticlient and Ios.

There are the right policy to reach my lan from VPN an from LAN to VPN.

In my LAN I deployed a PBX with SIP on port 5061.

When I connect from internet to my network with VPNc all service work but no softphone is able to connect to PBX.

In fortiguard, filtering by IP, I can see all the sessions open from VPNc to LAN. All sessions use the correct policy.

The session on port 5061 uses a different policy and it does not have anything to do with it (different Interface, another P2P VPN).

You can see in the attached image the wrong policy. The row is the only row without Source Interface...

Any suggestion?

Capture.JPG

Toshi_Esumi

SuperUser

Do you have a proper set of route&policy toward VPNs? One way policy generally work for mobile applications like server/service remote accesses but not for phone services.

emnoc

New Member

You keep on saying you have the right policy, have you ran cli diag debug flow and against one of your phone devices to confirm ?

Ken

StorytellerAuthor

New Member

There are policies, there are the right routes...

I think the problem is in session helper...

id=20085 trace_id=41 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=17, 172.16.100.100:5061->192.168.2.88:5061) from XDN_FC_0. "

id=20085 trace_id=41 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-06726330, original direction"

id=20085 trace_id=41 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.2.88 via wan1"

id=20085 trace_id=41 func=__ip_session_run_tuple line=2956 msg="run helper-sip(dir=original)"

I set up protocol SIP on 5060 port. I don't know if I have to set or I can set another SIP protocol in session helper...

Graziano.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded