Description
This article shows some useful commands for troubleshooting SIP traffic.
Solution
Several commands are used to troubleshoot this issue, depending on the mode used by firewall (sip session-helper or SIP-ALG).
Generally, troubleshooting voip issues is done in few steps:
- Getting a simple network diagram with addresses clearly indicated for SIP server, Audio server, FortiGate interfaces (NAT if used), client IP, etc.
- Checking what kind of SIP inspection is used/configured on the FortiGate / in the policies (backup of configuration, specifying the VDOM/ policy ID#)
- Capturing and analyzing the traffic between host and SIP server over FortiGate (traffic capture for destination server IP, or for port 5060)
- Isolating the issue to FortiGate by disabling SIP inspection (or specifying how FortiGate is expected to open the audio ports for calls)
- Collecting the sip debug if the problem is not identified or not clearly fixable
SIP debug can be enabled and collected as follows.
This is useful when the action taken be the firewall is clearly understood and configured, but still considered wrong.
Simultaneously, a packet capture is necessary (on another SSH connection):
# diagnose debug disable
# diagnose debug reset
# diagnose debug application sip -1
# diagnose debug enable
Diagnosing calls
Use following commands to display status information about the SIP sessions being processed by the SIP ALG.
# diagnose sys sip-proxy calls list
# diagnose sys sip-proxy stats <----- This is the most useful as it shows what type of packets are blocked.
# diagnose sys sip-proxy stats clear <----- To clear the old statistics and make recent tests more obvious.
# diagnose sys sip status
# diagnose sys sip dialog list
# diagnose sys sip mapping list
There are 4 columns:
Received: packets of certain type that FortiGate received. These are packets seen as passing over the FortiGate (no action taken by FortiGate)
Blocked: packets that the FortiGate actively blocked. They can be either ‘request’ or ‘response’
Unknown form: The header may be familiar to FortiGate but the content may have certain extensions or field contents that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-unknown enable). Malformed headers are by default set to pass in the SIP section of the default voip profile
Long headers: Certain packets contain a lot of non-standard extensions than enhance the SIP call. But this data needs more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable)
UNKNOWN: Generally these are keep-alive packets (no relevant data).
If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in default voip profile (or particular voip profile used in policy).
ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable ).
BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable ).
CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable ).
INFO: (not usually a problem. If needed, SIP profile can be set block-info enable ).
INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually it is caused by mismatching fields.
MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable ).
NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable ).
OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable ).
PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, rate can be changed) .
REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable ).
REGISTER - if blocked counter is increasing, they may be fraudulent external attempts trying register to use your SIP server. However, if your phone can’t register, you should check the blocked column. When ‘received req’ increases, but ‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests (troubleshooting generally on SIP server).
SUBSCRIBE: (not usually a problem).
UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).
PING: (not usually a problem. Rarely used).
Received: packets of certain type that FortiGate received. These are packets seen as passing over the FortiGate (no action taken by FortiGate)
Blocked: packets that the FortiGate actively blocked. They can be either ‘request’ or ‘response’
Unknown form: The header may be familiar to FortiGate but the content may have certain extensions or field contents that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-unknown enable). Malformed headers are by default set to pass in the SIP section of the default voip profile
Long headers: Certain packets contain a lot of non-standard extensions than enhance the SIP call. But this data needs more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable)
UNKNOWN: Generally these are keep-alive packets (no relevant data).
If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in default voip profile (or particular voip profile used in policy).
ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable ).
BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable ).
CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable ).
INFO: (not usually a problem. If needed, SIP profile can be set block-info enable ).
INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually it is caused by mismatching fields.
MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable ).
NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable ).
OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable ).
PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, rate can be changed) .
REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable ).
REGISTER - if blocked counter is increasing, they may be fraudulent external attempts trying register to use your SIP server. However, if your phone can’t register, you should check the blocked column. When ‘received req’ increases, but ‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests (troubleshooting generally on SIP server).
SUBSCRIBE: (not usually a problem).
UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).
PING: (not usually a problem. Rarely used).
According to the output of '# diagnose sys sip-proxy stats', it is possible to make adjustments on the default voip profile,
or create a new profile to be used in policies. Common changes are highlighted:
or create a new profile to be used in policies. Common changes are highlighted:
# config voip profileUsually, user wants to open these pinholes.
(profile) # edit default
(default) # config sip
# set ?
status Enable/disable SIP.
rtp Enable/disable create pinholes for RTP traffic to traverse firewall.
nat-port-range RTP NAT port range.
open-register-pinhole Enable/disable open pinhole for REGISTER Contact port.
open-contact-pinhole Enable/disable open pinhole for non-REGISTER Contact port.
open-via-pinhole Enable/disable open pinhole for Via port.
open-record-route-pinhole Enable/disable open pinhole for Record-Route port.
Keeping them closed may prevent SIP from functioning properly through the FortiGate.
It can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session).
Troubleshooting SIP-helper is not as easy, as we can only check whether the session expectation is created correctly.
Also, with SIP session-helper there are not many changes that can be operated for special topologies.
Since SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.
strict-register Enable/disable only allow the registrar to connect.
register-rate REGISTER request rate limit (per second, per policy).
invite-rate INVITE request rate limit (per second, per policy).
max-dialogs Maximum number of concurrent calls/dialogs (per policy).
max-line-length Maximum SIP header line length (78-4096).
block-long-lines Enable/disable block requests with headers exceeding max-line-length.
block-unknown Block unrecognized SIP requests (enabled by default).
call-keepalive Continue tracking calls with no RTP for this many minutes.
block-ack Enable/disable block ACK requests.
block-bye Enable/disable block BYE requests.
block-cancel Enable/disable block CANCEL requests.
block-info Enable/disable block INFO requests.
block-invite Enable/disable block INVITE requests.
block-message Enable/disable block MESSAGE requests.
block-notify Enable/disable block NOTIFY requests.
block-options Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block-prack Enable/disable block prack requests.
block-publish Enable/disable block PUBLISH requests.
block-refer Enable/disable block REFER requests.
block-register Enable/disable block REGISTER requests.
block-subscribe Enable/disable block SUBSCRIBE requests.
block-update Enable/disable block UPDATE requests.
register-contact-trace Enable/disable trace original IP/port within the contact header of REGISTER requests.
rfc2543-branch Enable/disable support via branch compliant with RFC 2543.
log-violations Enable/disable logging of SIP violations.
log-call-summary Enable/disable logging of SIP call summary.
nat-trace Enable/disable preservation of original IP in SDP i line.
subscribe-rate SUBSCRIBE request rate limit (per second, per policy).
message-rate MESSAGE request rate limit (per second, per policy).
notify-rate NOTIFY request rate limit (per second, per policy).
refer-rate REFER request rate limit (per second, per policy).
update-rate UPDATE request rate limit (per second, per policy).
options-rate OPTIONS request rate limit (per second, per policy).
ack-rate ACK request rate limit (per second, per policy).
prack-rate PRACK request rate limit (per second, per policy).
info-rate INFO request rate limit (per second, per policy).
publish-rate PUBLISH request rate limit (per second, per policy).
bye-rate BYE request rate limit (per second, per policy).
cancel-rate CANCEL request rate limit (per second, per policy).
preserve-override Override i line to preserve original IPS (default: append).
no-sdp-fixup Enable/disable no SDP fix-up.
contact-fixup Fixup contact anyway even if contact's IP:port doesn't match session's IP:port.
max-idle-dialogs Maximum number established but idle dialogs to retain (per policy).
block-geo-red-options Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
hosted-nat-traversal Hosted NAT Traversal (HNT).
hnt-restrict-source-ip Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
max-body-length Maximum SIP message body length (0 meaning no limit).
unknown-header Action for unknown SIP header.
malformed-request-line Action for malformed request line.
malformed-header-via Action for malformed VIA header.
malformed-header-from Action for malformed From header.
malformed-header-to Action for malformed To header.
malformed-header-call-id Action for malformed Call-ID header.
malformed-header-cseq Action for malformed CSeq header.
malformed-header-rack Action for malformed RAck header.
malformed-header-rseq Action for malformed RSeq header.
malformed-header-contact Action for malformed Contact header.
malformed-header-record-route Action for malformed Record-Route header.
malformed-header-route Action for malformed Route header.
malformed-header-expires Action for malformed Expires header.
malformed-header-content-type Action for malformed Content-Type header.
malformed-header-content-length Action for malformed Content-Length header.
malformed-header-max-forwards Action for malformed Max-Forwards header.
malformed-header-allow Action for malformed Allow header.
malformed-header-p-asserted-identity Action for malformed P-Asserted-Identity header.
malformed-header-sdp-v Action for malformed SDP v line.
malformed-header-sdp-o Action for malformed SDP o line.
malformed-header-sdp-s Action for malformed SDP s line.
malformed-header-sdp-i Action for malformed SDP i line.
malformed-header-sdp-c Action for malformed SDP c line.
malformed-header-sdp-b Action for malformed SDP b line.
malformed-header-sdp-z Action for malformed SDP z line.
malformed-header-sdp-k Action for malformed SDP k line.
malformed-header-sdp-a Action for malformed SDP a line.
malformed-header-sdp-t Action for malformed SDP t line.
malformed-header-sdp-r Action for malformed SDP r line.
malformed-header-sdp-m Action for malformed SDP m line.
provisional-invite-expiry-time Expiry time for provisional INVITE (10 - 3600 sec).
ips-rtp Enable/disable allow IPS on RTP.
ssl-mode SSL/TLS mode for encryption & decryption of traffic.
Troubleshooting SIP-helper is not as easy, as we can only check whether the session expectation is created correctly.
Also, with SIP session-helper there are not many changes that can be operated for special topologies.
Since SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.
# diagnose sys sip stat <----- Can be used to check if the sip-helper is used.Related links.
Related Articles
Technical Tip: VOIP calls (using SIP)
Technical Tip: Disabling VoIP Inspection
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2
