Created on
‎01-22-2016
03:18 PM
Edited on
‎08-28-2024
03:26 AM
By
Jean-Philippe_P
Description
Solution
By default, FortiGate is using SIP ALG to process SIP traffic.
Verify it by checking the configuration and counters:
FortiGate # show full system setting | grep default-voip-alg-mode
set default-voip-alg-mode proxy-based
Proxy-based <----- Default SIP ALG mode.
Kernel-helper-based <----– SIP session helper.
To verify counters based on the mode:
- If SIP Sessions Helper is handling the SIP traffic, the command below will display counters:
FortiGate # diag sys sip status
dialogs: max=131072, used=0
mappings: used=0
dialog hash by ID: size=8192, used=0, depth=0
dialog hash by RTP: size=8192, used=0, depth=0
mapping hash: size=8192, used=0, depth=0
count0: 0
count1: 2
count2: 10
count3: 0
count4: 0 - If SIP ALG is handling the SIP traffic, the command below will display counters:
FortiGate # diag sys sip-proxy stat
sip stats
vdom name: root
---------------------------
active-sessions: 1
calls-attempted: 57
calls-established: 27
calls-failed: 30
calls-active: 0
registers-active: 1
| received | blocked | unknown form | long headers
req-type | req resp| req resp| req resp| req resp
UNKNOWN 0 47227 0 47227 0 47227 0 0
ACK 86 0 0 0 0 0 0 0
BYE 27 27 0 0 0 0 0 0
CANCEL 14 14 0 0 0 0 0 0
INFO 0 0 0 0 0 0 0 0
INVITE 107 223 0 0 0 0 0 0
MESSAGE 0 0 0 0 0 0 0 0
NOTIFY 5789 5788 0 0 0 0 0 0
OPTIONS 0 0 0 0 0 0 0 0
PRACK 0 0 0 0 0 0 0 0
PUBLISH 10371 802 0 1 0 0 0 0
REFER 2 2 0 0 0 0 0 0
REGISTER 100678 81543 25 0 25 0 0 0
SUBSCRIBE 19857 13333 0 2 0 0 0 0
UPDATE 0 0 0 0 0 0 0 0
PING 0 0 0 0 0 0 0 0
To verify based on the session created by the SIP port :
First filter and display the session:
diag sys session filter dport 5060
diag sys session filter dst x.x.x.x (public IP of the SIP provider)
diag sys session list
Then look for the flags:
- If the session has an 'ndr' flag -> flow SIP (ips) handles the traffic.
- If the session has 'redir' and 'local' flags -> SIP ALG handles the traffic.
- If the session only has "helper=sip" -> SIP kernel helper (session-helper) handles the traffic.
- If the session has 'helper=20' or 'helper=24' -> SIP ALG handles the traffic.
Related documents:
VoIP solutions 6.4.5
VoIP solutions 6.2.7
FortiGate sip 603
FortiGate VOIP sip 521
Related Articles:
Technical Tip: VOIP calls (using SIP)
Technical Tip: Disabling VoIP Inspection
Techincal Tip: SIP useful Commands
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: How to use the SIP ALG to prevent unwanted calls
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2