Technical Tip: Why is it important to clear existing SIP sessions after disabling the session helper

amrit · ‎03-25-2025

Description

This article describes why disabling the SIP session helper sometimes does not fix the connectivity issues with the SIP traffic.

Scope

FortiGate.

Solution

Certain VOIP implementations do not require FortiGate's built-in SIP session helper. In a non-vdom mode, it can be disabled by deleting it from the firewall. In a multi-vdom mode, if certain VDOMs need to use the session helper, then it cannot be removed from the global VDOM, instead, a custom firewall service can be used to disable the SIP helper per VDOM.

However, even after following the above steps, SIP traffic may encounter intermittent connectivity issues if existing SIP sessions are not cleared from the firewall after disabling or removing the SIP helper.

Example :

SIP device 172.16.1.240----LAN Network----(VIP)FortiGate(WAN192.168.10.10)-----ISP------SIP Server 172.16.10.10

VIP External IP 192.168.10.10, VIP Internal IP 172.16.1.240 and Source NAT VIP are enabled
Policy 10 is a LAN-to-WAN, and Policy 11 is from WAN-to-LAN

In the following session output, even though the SIP session helper is disabled, the session below is still utilizing it. As a result, it is using an incorrect policy_id in the session output. This also interferes with the DNAT process for this SIP traffic.

If session info has a 'helper=sip', then the session helper is used, policy_dir=1 represents traffic in the original direction, and policy_dir=0 is for the traffic in the reply direction.

session info: proto=17 proto_state=00 duration=1726 expire=1797 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use
=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=1 tunnel=/ helper=sip vlan_cos=3/255 <----- Session helper is used.
state=log intree
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=250->168/245->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=noop 172.16.10.10:5060->192.168.10.10:17128(0.0.0.0:0)
hook=pre dir=reply act=noop 192.18.10.10:17128->172.16.10.10:5060(0.0.0.0:0)
misc=0 policy_id=10 pol_uuid_idx=23613 auth_info=0 chk_client_info=0 vd=3
serial=1474ecb8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000101 no_offload
no_ofld_reason: disabled-by-polic

The above SIP session is failing and still using a helper because of an existing session that was not cleared after the session helper was disabled/removed. This also creates an expectation session.

The expectation session can be verified using the 'diagnose sys session list expectations' command. Hence, session 1 is using policy ID 10 instead of 11. The session below was not cleared.

session info: proto=17 proto_state=01 duration=8291155 expire=3609 timeout=3610 flags=00000000 socktype=0 sockport=0 av_idx
=0 use=134
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/1
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=4152377/4622/1 reply=2746792/4622/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=245->250/250->245 gwy=204.14.15.222/192.168.214.74
hook=post dir=org act=snat 172.16.1.240:5080->172.16.10.10:5060(192.168.10.10:65497)
hook=pre dir=reply act=dnat 172.16.10.10:5060->192.168.10.10:65497(172.16.1.240:5080)
src_mac=00:a2:89:b3:52:44 dst_mac=00:c8:8b:58:bf:40
misc=0 policy_id=10 pol_uuid_idx=23613 auth_info=0 chk_client_info=0 vd=3
serial=1474ecb8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000101 no_offload
no_ofld_reason: disabled-by-policy
total session 1

After all sessions for port 5060 are cleared, the SIP helper is no longer utilized, and the traffic begins to match the correct policy.

session info: proto=17 proto_state=00 duration=1 expire=178 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=3/255 <--- No Helper is used
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=779/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 477/3 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=250->245/245->250 gwy=192.168.214.74/0.0.0.0
hook=pre dir=org act=dnat 172.16.10.10:5060->192.168.10.10:17128(192.168.10.10:17128)
hook=post dir=reply act=snat 172.16.1.240:17128->172.16.10.10:5060(192.168.10.10:17128)
src_mac=00:c8:8b:58:bf:40 dst_mac=00:a2:89:b3:52:44
misc=0 policy_id=11 pol_uuid_idx=23570 auth_info=0 chk_client_info=0 vd=3
serial=dad5136c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000101 no_offload
no_ofld_reason: disabled-by-policy

The following commands can be used to clear the SIP sessions:

diagnose sys session filter clear
diagnose sys session filter vd <vdom index> <----- This command is optional and only required in multi-vdom mode
diagnose sys session filter sport 5060
diagnose sys session list

diagnose sys session filter clear
diagnose sys session filter vd <vdom index>
diagnose sys session filter dport 5060
diagnose sys session list
diagnose sys session filter clear

Related articles:

Technical Tip: Disabling VoIP Inspection

Technical Tip : Session helpers and expectation sessions

Technical Tip: Why is it important to clear existing SIP sessions after disabling the session helper

You are leaving our website