FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 195289

Description

 

This article shows some useful commands for troubleshooting SIP traffic.

Solution

 

Several commands are used to troubleshoot this issue, depending on the mode used by the firewall (sip session-helper or SIP-ALG).
Most importantly, troubleshooting VOIP issues in the initial setup are rarely possible in a remote session.

 

Follow these initial steps and attach the output so we can also understand the setup:

 

  1. Explain or draw the network diagram with addresses clearly indicated for the SIP server, audio server, FortiGate interfaces (NAT if used), client IP, etc.
  2. Check what kind of SIP inspection is used/configured on the FortiGate and in the policies (backup of configuration, specifying the VDOM/ policy ID# allowing the VOIP traffic).
  3. Specify how FortiGate is expected to open the audio ports for calls (which VIP, what SIP mechanism).
  4. Packet capture for affected traffic - place a call with this command running (diag sniffer packet any 'host x.x.x.x' 6 0 l).

 

For x.x.x.x uses the public IP of the SIP trunk provider if the problem affects public calls and not local calls or the IP of the local PBX server if the affected calls are local.

 

The next steps are optional, and not always needed:

 

  1. Capturing and analyzing the traffic between the host and SIP server over FortiGate (traffic capture for destination server IP, or for port 5060).

     

     

  2. Collect the SIP debug if the problem is not identified or is not clearly fixable.

     

     

This is useful when the action taken by the firewall is clearly understood and configured but still considered wrong.

Simultaneously, packet capture is necessary (on another SSH connection).


SIP debug can be enabled and collected as follows:

 

diagnose debug disable

diagnose debug reset
diagnose debug application sip -1
diagnose debug enable

 

Diagnosing calls:

Use the following commands to display status information about the SIP sessions being processed by the SIP ALG.

 

diagnose sys sip-proxy calls list
diagnose sys sip-proxy stats       <- This is the most useful as it shows what type of packets are blocked.
diagnose sys sip-proxy stats clear <- To clear the old statistics and make recent tests more obvious.
diagnose sys sip status
diagnose sys sip dialog list
diagnose sys sip mapping list

 

JeanPhilippe_P_0-1724399718068.png

 

 
There are 4 columns:

Received: packets of a certain type that FortiGate received. These are packets seen as passing over the FortiGate (no action taken by FortiGate).

Blocked: packets that the FortiGate actively blocked. It can be either ‘request’ or ‘response’.

Unknown form: the header may be familiar to FortiGate but the content may have certain extensions or field contents that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-unknown enable). Malformed headers are by default set to pass in the SIP section of the default VOIP profile.

Long headers: Certain packets contain a lot of non-standard extensions that enhance the SIP call. But this data needs more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable).

UNKNOWN: Generally these are keep-alive packets (no relevant data).

If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in the default VOIP profile (or particular VOIP profile used in the policy).

ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable).

BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable).

CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable).

INFO: (not usually a problem. If needed, SIP profile can be set block-info enable).

INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually, it is caused by mismatching fields.

MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable).

NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable).

OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable).

PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, the rate can be changed).

REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable).

REGISTER - if the blocked counter is increasing, it may have fraudulent external attempts trying to register to use the SIP server. However, if the phone can not register, check the blocked column. When ‘received req’ increases, but ‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests (troubleshooting generally on the SIP server).

SUBSCRIBE: (not usually a problem).

UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).

PING: (not usually a problem. Rarely used).
 
According to the output of 'diagnose sys sip-proxy stats', it is possible to make adjustments on the default VoIP profile, or create a new profile to be used in policies. Common changes are highlighted:
 
config voip profile
    (profile) # edit default
    (default) # config sip
    set ?
status                                  Enable/disable SIP.
rtp                                     Enable/disable create pinholes for RTP traffic to traverse firewall.
nat-port-range                           RTP NAT port range.
open-register-pinhole                   Enable/disable open pinhole for REGISTER Contact port.
open-contact-pinhole                    Enable/disable open pinhole for non-REGISTER Contact port.
open-via-pinhole                        Enable/disable open pinhole for Via port.
open-record-route-pinhole               Enable/disable open pinhole for Record-Route port
Usually, the user wants to open these pinholes.
 
Keeping it closed may prevent SIP from functioning properly through the FortiGate.
 
It can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session).
 
strict-register                         Enable/disable only allow the registrar to connect.
register-rate                           REGISTER request rate limit (per second, per policy).
invite-rate                             INVITE request rate limit (per second, per policy).
max-dialogs                             Maximum number of concurrent calls/dialogs (per policy).
max-line-length                         Maximum SIP header line length (78-4096). default = <998>, which can be increased for longer line processing by SIP ALG (e.g. invite for call recording with XML metadata).
block-long-lines                        Enable/disable block requests with headers exceeding max-line-length.
block-unknown                           Block unrecognized SIP requests (enabled by default).
call-keepalive                          Continue tracking calls with no RTP for this many minutes.
block-ack                               Enable/disable block ACK requests.
block-bye                               Enable/disable block BYE requests.
block-cancel                            Enable/disable block CANCEL requests.
block-info                              Enable/disable block INFO requests.
block-invite                            Enable/disable block INVITE requests.
block-message                           Enable/disable block MESSAGE requests.
block-notify                            Enable/disable block NOTIFY requests.
block-options                           Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
block-prack                             Enable/disable block prack requests.
block-publish                           Enable/disable block PUBLISH requests.
block-refer                             Enable/disable block REFER requests.
block-register                          Enable/disable block REGISTER requests.
block-subscribe                         Enable/disable block SUBSCRIBE requests.
block-update                            Enable/disable block UPDATE requests.
register-contact-trace                  Enable/disable trace original IP/port within the contact header of REGISTER requests.
rfc2543-branch                          Enable/disable support via branch compliant with RFC 2543.
log-violations                          Enable/disable logging of SIP violations.
log-call-summary                        Enable/disable logging of SIP call summary.
nat-trace                               Enable/disable preservation of original IP in SDP i line.
subscribe-rate                          SUBSCRIBE request rate limit (per second, per policy).
message-rate                            MESSAGE request rate limit (per second, per policy).
notify-rate                             NOTIFY request rate limit (per second, per policy).
refer-rate                              REFER request rate limit (per second, per policy).
update-rate                             UPDATE request rate limit (per second, per policy).
options-rate                            OPTIONS request rate limit (per second, per policy).
ack-rate                                ACK request rate limit (per second, per policy).
prack-rate                              PRACK request rate limit (per second, per policy).
info-rate                               INFO request rate limit (per second, per policy).
publish-rate                            PUBLISH request rate limit (per second, per policy).
bye-rate                                BYE request rate limit (per second, per policy).
cancel-rate                             CANCEL request rate limit (per second, per policy).
preserve-override                       Override in line to preserve original IPS (default: append).
no-sdp-fixup                            Enable/disable no SDP fix-up.
contact-fixup                           Fixup contact anyway even if the contact's IP: port does not match the session's IP: port.
max-idle-dialogs                        Maximum number established but idle dialogs to retain (per policy).
block-geo-red-options                   Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
hosted-nat-traversal                    Hosted NAT Traversal (HNT).
hnt-restrict-source-ip                  Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
max-body-length                         Maximum SIP message body length (0 meaning no limit).
unknown-header                          Action for unknown SIP header.
malformed-request-line                  Action for malformed request line.
malformed-header-via                    Action for malformed VIA header.
malformed-header-from                   Action for malformed From header.
malformed-header-to                     Action for malformed To header.
malformed-header-call-id                Action for malformed Call-ID header.
malformed-header-cseq                   Action for malformed CSeq header.
malformed-header-rack                   Action for malformed RAck header.
malformed-header-rseq                   Action for malformed RSeq header.
malformed-header-contact                Action for malformed Contact header.
malformed-header-record-route           Action for malformed Record-Route header.
malformed-header-route                  Action for malformed Route header.
malformed-header-expires                Action for malformed Expires header.
malformed-header-content-type           Action for malformed Content-Type header.
malformed-header-content-length         Action for malformed Content-Length header.
malformed-header-max-forwards           Action for malformed Max-Forwards header.
malformed-header-allow                  Action for malformed Allow header.
malformed-header-p-asserted-identity    Action for malformed P-Asserted-Identity header.
malformed-header-sdp-v                  Action for malformed SDP v line.
malformed-header-sdp-o                  Action for malformed SDP o line.
malformed-header-sdp-s                  Action for malformed SDP s line.
malformed-header-sdp-i                  Action for malformed SDP i line.
malformed-header-sdp-c                  Action for malformed SDP c line.
malformed-header-sdp-b                  Action for malformed SDP b line.
malformed-header-sdp-z                  Action for malformed SDP z line.
malformed-header-sdp-k                  Action for malformed SDP k line.
malformed-header-sdp-a                  Action for malformed SDP a line.
malformed-header-sdp-t                  Action for malformed SDP t line.
malformed-header-sdp-r                  Action for malformed SDP r line.
malformed-header-sdp-m                  Action for malformed SDP m line.
provisional-invite-expiry-time          Expiry time for provisional INVITE (10 - 3600 sec).
ips-rtp                                 Enable/disable allow IPS on RTP.
ssl-mode                                SSL/TLS mode for encryption & decryption of traffic. 
 
Troubleshooting SIP-helper is not so easy, because it is only possible to check if the session expectation is created correctly.

Also, with an SIP session-helper there are not many changes that can be operated for special topologies.

Since the SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.

To verify if the SIP helper was used, check with this command:
             # diag sys sip status (if counters are 0, sip session-helper is not used)
To verify what SIP inspection is applied by FortiGate (sip helper, SIP ALG, ipsengine), refer to: Technical Tip: What SIP inspection is applied by FortiGate
 
Related documents:

 

Related articles: