Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

gmanea · ‎01-22-2016

Description

This article describes how to confirm if SIP traffic is being handled by SIP ALG or by SIP session-helper.

Scope

FortiGate.

Solution

By default, FortiGate uses SIP ALG to process SIP traffic. Verify it by checking the configuration and counters:

FortiGate # show full system setting | grep default-voip-alg-mode
set default-voip-alg-mode proxy-based

Proxy-based <----- Default SIP ALG mode.
Kernel-helper-based <----– SIP session helper.

To verify counters based on the mode:

If SIP Sessions Helper is handling the SIP traffic, the command below will display counters:

FortiGate # diagnose sys sip status
dialogs: max=131072, used=0
mappings: used=0
dialog hash by ID: size=8192, used=0, depth=0
dialog hash by RTP: size=8192, used=0, depth=0
mapping hash: size=8192, used=0, depth=0
count0: 0
count1: 2
count2: 10
count3: 0
count4: 0
If SIP ALG is handling the SIP traffic, the command below will display counters:

FortiGate # diagnose sys sip-proxy stat

sip stats

vdom name: root
---------------------------
     active-sessions: 1
     calls-attempted: 57
     calls-established: 27
     calls-failed: 30

     calls-active: 0
     registers-active: 1
              |     received |     blocked   | unknown form | long headers
     req-type |    req    resp|    req    resp|    req    resp|    req    resp
     UNKNOWN         0   47227       0   47227       0   47227       0       0
     ACK            86       0       0       0       0       0       0       0
     BYE            27      27       0       0       0       0       0       0
     CANCEL         14      14       0       0       0       0       0       0
     INFO            0       0       0       0       0       0       0       0
     INVITE        107     223       0       0       0       0       0       0
     MESSAGE         0       0       0       0       0       0       0       0
     NOTIFY       5789    5788       0       0       0       0       0       0
     OPTIONS         0       0       0       0       0       0       0       0
     PRACK           0       0       0       0       0       0       0       0
     PUBLISH     10371     802       0       1       0       0       0       0
     REFER           2       2       0       0       0       0       0       0
     REGISTER   100678   81543      25       0      25       0       0       0
     SUBSCRIBE   19857   13333       0       2       0       0       0       0
     UPDATE          0       0       0       0       0       0       0       0
     PING            0       0       0       0       0       0       0       0

To verify based on the session created by the SIP port :

First filter and display the session:

diagnose sys session filter dport 5060

diagnose sys session filter dst x.x.x.x (public IP of the SIP provider)

diagnose sys session list

Then look for the flags:

If the session has an 'ndr' flag -> flow SIP (ips) handles the traffic.
If the session has 'redir' and 'local' flags -> SIP ALG handles the traffic (as long as the DST port of the session matches the SIP port under system.settings in FortiGate).
If the session only has "helper=sip" -> SIP kernel helper (session-helper) handles the traffic.
If the session has 'helper=20' or 'helper=24' -> SIP ALG handles the traffic.
If session has both i.e. 'redir' and 'local' flags, and 'helper=sip' -> SIP kernel helper does nothing when it finds the session has 'redir' and 'local' flag.

Related documents:

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG

You are leaving our website