Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfreitas
Staff
Staff

Created on ‎10-03-2024 05:23 AM Edited on ‎10-04-2024 12:18 AM By Moderator

Article Id 346761

Technical Tip: 3CX Server Mapping does not match

Description This article describes an error that can occur when running a 3CX Firewall Port check test after installing a local 3CX VoIP server. The error is 'Mapping does not match <port>. Mapping is <another_port>'. Even if FortiGate has Firewall Policies and VIPs correctly configured.
Although this article focuses only on one port being tested (5090) this procedure applies to all other ports. 
Scope FortiOS, VoIP.
Solution

3CX uses stun servers to test ports to check if these are open or closed. Furthermore, 3CX will stop services to free ports to bind them to the firewall checker service.


Example Scenario: 3CX local VoIP server  (192.168.1.151) -----  (Local Gateway 192.168.1.99)  FortiGate  (10.123.123.20) ----- (ISP Gateway 10.123.123.254)  ISP  (Public IP 84.X.Y.Z)  -----  STUN server (stun.3cx.com - IP: 54.38.41.146).

binding request.png

 

The image above refers to traffic going out of the FortiGate, and shows the following steps:

  1. 3CX local server with IP 192.168.1.151 sends a stun Binding Request to stun.3cx.com with IP 54.38.41.146.
  2. Local port 5090 to stun server default port 3478.
  3. 3CX local server declares that the STUN server should NOT change the IP or Port to reply to this request.


Note that all requests contain a unique transaction ID to ensure that the received data belongs to the initial request.

binding response.png
The image above refers to traffic received on the FortiGate from the ISP, and shows the following steps:

  1. The STUN server (IP 54.38.41.146) sends a Binding Response to answer the 3CX local server (IP 192.168.1.151) Binding Request.
  2. The STUN server Binding Response contains the Public IP and port from which he receives the Requests within the attribute MAPPED-ADDRESS. However, the STUN server reported port 37309 instead of the initial 5090, causing users to observe the below error message.
    This happens because as per the first figure     Change IP and Change Port are set to 0, meaning the 3CX local server would expect the received Port to be 5090.


3cx error.png

 

This can occur even if testing with port preservation enabled on the FortiGate Firewall Policy because this would only apply to traffic going through FortiGate and not other NAT devices.
After confirming that FortiGate is sending out traffic on the correct ports the ISP needs to be contacted for further analysis. Because for the 3CX firewall check to pass the Binding Response MAPPED-ADDRESS Attribute needs to contain Port 5090.

 

Related documents:

Technical Tip: VoIP and SIP configuration and troubleshooting resource lists
253
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.