Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ACARIMO
Staff
Staff

Created on ‎10-02-2024 02:25 AM Edited on ‎10-04-2024 12:15 AM By Staff

Article Id 346263

Troubleshooting Tip: How to troubleshoot WIFI Calling Service (VoWIFI) through Fortigate

Description

 

This article describes how to successfully establish a VoWIFI call (WIFI Calling Service).

 

Scope

 

FortiGate.

 

Solution

 

For a mobile phone to use the VoWIFI (mobile operator WIFI Calling Service) steps 1 to 3 need to occur successfully:

 

Step 1: 

The mobile phone sends (via WIFI) a DNS query request to find the WIFI Calling endpoint IP address for the IPSec tunnel establishment with his Mobile Network Operator (MNO):

 

Internet Protocol Version 4, Src: 192.168.20.127, Dst: 8.8.8.8

User Datagram Protocol, Src Port: 43701 (43701), Dst Port: domain (53)

Queries

epdg.epc.mnc004.mcc420.pub.3gppnetwork.org: type A, class IN

Name: epdg.epc.mnc004.mcc420.pub.3gppnetwork.org

[Name Length: 42]

[Label Count: 7]

Type: A (Host Address) (1)

Class: IN (0x0001)

 

Step 2:

The mobile phone receives the DNS query response containing the IP address(es) for WIFI Calling endpoint tunnel establishment:

 

Internet Protocol Version 4, Src: 8.8.8.8, Dst: 192.168.20.127

User Datagram Protocol, Src Port: domain (53), Dst Port: 43701 (43701)

Answers

epdg.epc.mnc004.mcc420.pub.3gppnetwork.org: type A, class IN, addr xx.xx.52.42

epdg.epc.mnc004.mcc420.pub.3gppnetwork.org: type A, class IN, addr xx.xy.152.16

epdg.epc.mnc004.mcc420.pub.3gppnetwork.org: type A, class IN, addr xx.xz.53.26

 

To correlate the DNS request with a particular MNO, access the International HLR (Mobile Validation) Check:

 

Continent--------------Country------------------------MNO-----------------------------MCC-----MNC

Asia------------Saudi Arabia (Kingdom of)------STC (Saudi Telecom Company)------420-----01

Asia------------Saudi Arabia (Kingdom of)------Mobily (Etihad Etisalat Company)-420-----03

Asia------------Saudi Arabia (Kingdom of)------Zain SA (MTC Saudi Arabia)-------420-----04    <== mnc004.mcc420

Asia------------Saudi Arabia (Kingdom of)------Virgin Mobile KSA (STC MVNO)-----420-----05

Asia------------Saudi Arabia (Kingdom of)------Lebara Mobile KSA (Mobily MVNO)--420-----06

Asia------------Saudi Arabia (Kingdom of)------Unknown -------------------------420-----966

 

Step 3:

The mobile phone establishes an IPSec tunnel with the MNO for the WIFI Calling Service and the phone displays the service as being active once the tunnel is connected. In this example, the mobile phone is trying to establish the IPSec tunnel, but no response is received from the MNO and this is the reason why this mobile user is not able to use the WIFI Calling Service:

 

No.    Time   Source         Sport Destination Dport Protocol Info

401 75.000000 192.168.20.127 33570 xx.xz.53.26 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

402 76.000000 192.168.20.127 33570 xx.xz.53.26 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

408 78.000000 192.168.20.127 33570 xx.xz.53.26 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

433 82.000000 192.168.20.127 33570 xx.xz.53.26 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

434 85.000000 192.168.20.127 38879 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

436 86.000000 192.168.20.127 38879 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

437 88.000000 192.168.20.127 38879 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

439 92.000000 192.168.20.127 38879 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

558 132.000000 192.168.20.127 50604 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

583 132.000000 192.168.20.127 50604 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

634 134.000000 192.168.20.127 50604 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

635 138.000000 192.168.20.127 50604 xx.xx.52.42 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

636 142.000000 192.168.20.127 36869 xx.xy.152.16 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

638 143.000000 192.168.20.127 36869 xx.xy.152.16 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

642 145.000000 192.168.20.127 36869 xx.xy.152.16 500 ISAKMP IKE_SA_INIT MID=00 Initiator Request

 

In this example, further analysis revealed that the IPSec response traffic from the MNO was being dropped by the users's ISP router. Once allowed on the ISP router, the user was able to establish the IPSec tunnel with the MNO and successfully use the VoWIFI service.

 

Related documents:

Technical Tip: VoIP and SIP configuration and troubleshooting resource lists

566
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.