When testing a phone system, a mapping issue on port 5060 may be encountered with the following message: 'Mapping does not match 5060. Mapping is …'.

Running a debug flow will show that the reply traffic is not SNAT to the same port 5060, but is instead a random port number:

id=65308 trace_id=5 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=17, X.X.X.X:5060->X.X.X.X:5060) tun_id=0.0.0.0 from local. "

id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-00000122, original direction"

id=65308 trace_id=5 func=__ip_session_run_tuple line=3392 msg="SNAT X.X.X.X->X.X.X.X:65477"

This is because there is an IP pool configured with the overload option. Changing it to a one-to-one type will prevent traffic being SNAT to a different port:

config firewall ippool

    edit "One-to-One-ippool"

        set type one-to-one

        set startip X.X.X.X

        set endip X.X.X.Y

    next

end

Running a debug flow again will show traffic is now SNAT with the same port number:

id=65308 trace_id=6 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=17, X.X.X.X:5060->X.X.X.X:5060) tun_id=0.0.0.0 from local. "

id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-00000122, original direction"

id=65308 trace_id=6 func=__ip_session_run_tuple line=3392 msg="SNAT X.X.X.X->X.X.X.X:5060"