Description
This article shows some useful commands for troubleshooting SIP traffic.
Solution
Several commands are used to troubleshoot this issue, depending on the mode used by the firewall (sip session-helper or SIP-ALG).
Most importantly, troubleshooting VOIP issues in the initial setup are rarely possible in a remote session.
Follow these initial steps and attach the output so we can also understand the setup:
- Explain or draw the network diagram with addresses clearly indicated for the SIP server, audio server, FortiGate interfaces (NAT if used), client IP, etc.
- Check what kind of SIP inspection is used/configured on the FortiGate and in the policies (backup of configuration, specifying the VDOM/ policy ID# allowing the VOIP traffic).
- Specify how FortiGate is expected to open the audio ports for calls (which VIP, what SIP mechanism).
- Packet capture for affected traffic - place a call with this command running (diag sniffer packet any 'host x.x.x.x' 6 0 l).
For x.x.x.x uses the public IP of the SIP trunk provider if the problem affects public calls and not local calls or the IP of the local PBX server if the affected calls are local.
The next steps are optional, and not always needed:
-
Capturing and analyzing the traffic between the host and SIP server over FortiGate (traffic capture for destination server IP, or for port 5060).
-
Collect the SIP debug if the problem is not identified or is not clearly fixable.
This is useful when the action taken by the firewall is clearly understood and configured but still considered wrong.
Simultaneously, packet capture is necessary (on another SSH connection).
SIP debug can be enabled and collected as follows:
diagnose debug disable
diagnose debug reset
diagnose debug application sip -1
diagnose debug enable
Diagnosing calls:
Use the following commands to display status information about the SIP sessions being processed by the SIP ALG.
diagnose sys sip-proxy calls list
diagnose sys sip-proxy stats <- This is the most useful as it shows what type of packets are blocked.
diagnose sys sip-proxy stats clear <- To clear the old statistics and make recent tests more obvious.
diagnose sys sip status
diagnose sys sip dialog list
diagnose sys sip mapping list
There are 4 columns:
Received: packets of a certain type that FortiGate received. These are packets seen as passing over the FortiGate (no action taken by FortiGate).
Blocked: packets that the FortiGate actively blocked. It can be either ‘request’ or ‘response’.
Unknown form: the header may be familiar to FortiGate but the content may have certain extensions or field contents that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-unknown enable). Malformed headers are by default set to pass in the SIP section of the default VOIP profile.
Long headers: Certain packets contain a lot of non-standard extensions that enhance the SIP call. But this data needs more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable).
UNKNOWN: Generally these are keep-alive packets (no relevant data).
If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in the default VOIP profile (or particular VOIP profile used in the policy).
ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable).
BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable).
CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable).
INFO: (not usually a problem. If needed, SIP profile can be set block-info enable).
INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually, it is caused by mismatching fields.
MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable).
NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable).
OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable).
PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, the rate can be changed).
REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable).
REGISTER - if the blocked counter is increasing, it may have fraudulent external attempts trying to register to use the SIP server. However, if the phone can not register, check the blocked column. When ‘received req’ increases, but ‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests (troubleshooting generally on the SIP server).
SUBSCRIBE: (not usually a problem).
UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).
PING: (not usually a problem. Rarely used).
According to the output of 'diagnose sys sip-proxy stats', it is possible to make adjustments on the default VoIP profile, or create a new profile to be used in policies. Common changes are highlighted:
config voip profile
(profile) # edit default
(default) # config sip
set ?
status Enable/disable SIP.
rtp Enable/disable create pinholes for RTP traffic to traverse firewall.
nat-port-range RTP NAT port range.
open-register-pinhole Enable/disable open pinhole for REGISTER Contact port.
open-contact-pinhole Enable/disable open pinhole for non-REGISTER Contact port.
open-via-pinhole Enable/disable open pinhole for Via port.
open-record-route-pinhole Enable/disable open pinhole for Record-Route port. Usually, the user wants to open these pinholes.
Keeping it closed may prevent SIP from functioning properly through the FortiGate.
It can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session).
strict-register Enable/disable only allow the registrar to connect.
register-rate REGISTER request rate limit (per second, per policy).
invite-rate INVITE request rate limit (per second, per policy).
max-dialogs Maximum number of concurrent calls/dialogs (per policy).
max-line-length Maximum SIP header line length (78-4096). default = <998>, which can be increased for longer line processing by SIP ALG (e.g. invite for call recording with XML metadata).
block-long-lines Enable/disable block requests with headers exceeding max-line-length.
block-unknown Block unrecognized SIP requests (enabled by default).
call-keepalive Continue tracking calls with no RTP for this many minutes.
block-ack Enable/disable block ACK requests.
block-bye Enable/disable block BYE requests.
block-cancel Enable/disable block CANCEL requests.
block-info Enable/disable block INFO requests.
block-invite Enable/disable block INVITE requests.
block-message Enable/disable block MESSAGE requests.
block-notify Enable/disable block NOTIFY requests.
block-options Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block-prack Enable/disable block prack requests.
block-publish Enable/disable block PUBLISH requests.
block-refer Enable/disable block REFER requests.
block-register Enable/disable block REGISTER requests.
block-subscribe Enable/disable block SUBSCRIBE requests.
block-update Enable/disable block UPDATE requests.
register-contact-trace Enable/disable trace original IP/port within the contact header of REGISTER requests.
rfc2543-branch Enable/disable support via branch compliant with RFC 2543.
log-violations Enable/disable logging of SIP violations.
log-call-summary Enable/disable logging of SIP call summary.
nat-trace Enable/disable preservation of original IP in SDP i line.
subscribe-rate SUBSCRIBE request rate limit (per second, per policy).
message-rate MESSAGE request rate limit (per second, per policy).
notify-rate NOTIFY request rate limit (per second, per policy).
refer-rate REFER request rate limit (per second, per policy).
update-rate UPDATE request rate limit (per second, per policy).
options-rate OPTIONS request rate limit (per second, per policy).
ack-rate ACK request rate limit (per second, per policy).
prack-rate PRACK request rate limit (per second, per policy).
info-rate INFO request rate limit (per second, per policy).
publish-rate PUBLISH request rate limit (per second, per policy).
bye-rate BYE request rate limit (per second, per policy).
cancel-rate CANCEL request rate limit (per second, per policy).
preserve-override Override in line to preserve original IPS (default: append).
no-sdp-fixup Enable/disable no SDP fix-up.
contact-fixup Fixup contact anyway even if the contact's IP: port does not match the session's IP: port.
max-idle-dialogs Maximum number established but idle dialogs to retain (per policy).
block-geo-red-options Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
hosted-nat-traversal Hosted NAT Traversal (HNT).
hnt-restrict-source-ip Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
max-body-length Maximum SIP message body length (0 meaning no limit).
unknown-header Action for unknown SIP header.
malformed-request-line Action for malformed request line.
malformed-header-via Action for malformed VIA header.
malformed-header-from Action for malformed From header.
malformed-header-to Action for malformed To header.
malformed-header-call-id Action for malformed Call-ID header.
malformed-header-cseq Action for malformed CSeq header.
malformed-header-rack Action for malformed RAck header.
malformed-header-rseq Action for malformed RSeq header.
malformed-header-contact Action for malformed Contact header.
malformed-header-record-route Action for malformed Record-Route header.
malformed-header-route Action for malformed Route header.
malformed-header-expires Action for malformed Expires header.
malformed-header-content-type Action for malformed Content-Type header.
malformed-header-content-length Action for malformed Content-Length header.
malformed-header-max-forwards Action for malformed Max-Forwards header.
malformed-header-allow Action for malformed Allow header.
malformed-header-p-asserted-identity Action for malformed P-Asserted-Identity header.
malformed-header-sdp-v Action for malformed SDP v line.
malformed-header-sdp-o Action for malformed SDP o line.
malformed-header-sdp-s Action for malformed SDP s line.
malformed-header-sdp-i Action for malformed SDP i line.
malformed-header-sdp-c Action for malformed SDP c line.
malformed-header-sdp-b Action for malformed SDP b line.
malformed-header-sdp-z Action for malformed SDP z line.
malformed-header-sdp-k Action for malformed SDP k line.
malformed-header-sdp-a Action for malformed SDP a line.
malformed-header-sdp-t Action for malformed SDP t line.
malformed-header-sdp-r Action for malformed SDP r line.
malformed-header-sdp-m Action for malformed SDP m line.
provisional-invite-expiry-time Expiry time for provisional INVITE (10 - 3600 sec).
ips-rtp Enable/disable allow IPS on RTP.
ssl-mode SSL/TLS mode for encryption & decryption of traffic.
Troubleshooting SIP-helper is not so easy, because it is only possible to check if the session expectation is created correctly.
Also, with an SIP session-helper there are not many changes that can be operated for special topologies.
Since the SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.
To verify if the SIP helper was used, check with this command:
# diag sys sip status (if counters are 0, sip session-helper is not used)
Related documents:
Related articles: