Troubleshooting Tip: One way Audio issue in VOIP (with SIP ALG)

This article describes how SIP ALG processes VoIP traffic and why one-way audio issues may occur

SIP ALG translates SIP and SDP parameters when the packet is sent to the SIP provider. 

Some SIP providers recommend disabling SIP ALG (and all SIP inspection). Fortinet recommends against it.

If SIP inspection on the FortiGate is disabled, then only the SIP provider can assist with troubleshooting problems with the SIP calls, as FortiGate is no longer responsible for handling such traffic.

Why SIP ALG is required:

Both sides send Connection Information (c=IN) to establish an RTP/Audio session.

If a private IP is sent in the connection information, RTP traffic on the private IP will fail.

When SIP ALG is enabled (default), the Firewall will perform layer 7 Translation on the private IP in the SDP header to a public IP (this is expected and recommended).

The issues arise when the phones or the local PBX are already configured to send the Public IP in c=IN, meaning the firewall translates that IP as well when SIP ALG is enabled.  

In these cases:

• do not configure local PBX with the public IP of the location.

OR

• keep SIP-ALG enabled as recommended but disable SDP translation for SIP traffic in the voip profile (if no custom voip profile is configured, 'default' profile is used).

OR

• disable the SIP ALG to disable all Layer 7 translation. 

Note:

The SIP provider will recommend actions regarding SIP ALG. However, the choice belongs to the customer. 
More details about the implications can be found here: Technical Tip: Disabling VoIP Inspection.

The firewall uses SIP ALG when:

• SIP traffic matches a firewall policy with a VoIP profile applied. SIP ALG is always used, regardless of the default-voip-alg-mode setting in system settings
• Traffic matches a policy without a VoIP profile, but the inspection-mode of the policy is set to proxy-based (FortiOS 7.0+).
• Traffic matches a policy without a VoIP profile, and the default-voip-alg-mode setting in system settings is set to proxy-based (before FortiOS 7.0).

Changing the inspection mode (sip session-helper OR SIP ALG):

config system setting

    set default-voip-alg-mode [proxy-based | kernel-helper-based]

end

Run the following command on FortiGate to verify if the calls are being processed by SIP ALG.

If there is no output, traffic is not processed by SIP ALG.

diag sys sip-proxy call list

sip calls
vdom 0 (root) call 7f27378a0400
    call-id: HaHF1ajUKf
    txn 7f273785b000 (REGISTER)
      cseq 21 dir 0 state 5 status 200 expiry 3509 HA 0
      i_session: 7f273788ac00  r_session: 7f273788ac00
      register: present
      from: sip:1195@10.10.10.156
      to: sip:1195@10.10.10.156
      src: 172.31.196.139:4612
      dst: 10.15.0.2:5060

Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG.

Below are examples of sample packets altered by SIP ALG:

Packet capture on an inside interface:

Frame 44: 863 bytes on wire (6904 bits), 863 bytes captured (6904 bits)
Ethernet II, Src: Cisco_51:93:bf (00:26:0b:XX:93:XX), Dst: Fortinet_50:57:25 (70:4c:a5:XX:57:XX)
Internet Protocol Version 4, Src: 10.15.0.2, Dst: 172.X.X.139
User Datagram Protocol, Src Port: 5060, Dst Port: 25310
Session Initiation Protocol (200)

Status-Line: SIP/2.0 200 OK

Message Header

Message Body

Session Description Protocol

Session Description Protocol Version (v): 0

Owner/Creator, Session Id (o): Mitel-5000-ICP 172382904 1638985328 IN IP4 10.10.10.155

Session Name (s): SIP Call

Connection Information (c): IN IP4 10.10.10.155

Time Description, active time (t): 0 0
Session Attribute (a): sendrecv
Session Attribute (a): rtcp-xr:rcvr-rtt=all:10000 stat-summary=loss,dup,jitt,TTL voip-metrics

Media Description, name and address (m): audio 6080 RTP/AVP 0
Media Attribute (a): rtpmap:0 PCMU/8000/1
Media Attribute (a): ptime:20
Media Attribute (a): rtcp-fb:* trr-int 1000
Media Attribute (a): rtcp-fb:* ccm tmmbr
Media Attribute (a): sendrecv
[Generated Call-ID: NSxUWC5KDe]

Packet capture on an outside interface:

Frame 38: 872 bytes on wire (6976 bits), 872 bytes captured (6976 bits)
Ethernet II, Src: Fortinet_50:57:2c (70:4c:a5:XX:57:XX), Dst: Cisco_08:3e:81 (40:ce:24:XX:3e:XX)
Internet Protocol Version 4, Src: XX.92.XX.156, Dst: 172.X.X.139
User Datagram Protocol, Src Port: 5060, Dst Port: 25310
Session Initiation Protocol (200)

Status-Line: SIP/2.0 200 OK

Message Header

Message Body

Session Description Protocol

Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): Mitel-5000-ICP 172382904 1638985328 IN IP4 10.11.12.156
Session Name (s): SIP Call
Connection Information (c): IN IP4 XX.92.XX.156 (public IP now)
Time Description, active time (t): 0 0
Session Attribute (a): sendrecv
Session Attribute (a): rtcp-xr:rcvr-rtt=all:10000 stat-summary=loss,dup,jitt,TTL voip-metrics
Media Description, name and address (m): audio 64506 RTP/AVP 0
           

To disable SIP ALG, see this article and consider the implications. Then, run the following configuration on the FortiGate:

FortiWiFi-61E # config sys settings

FortiWiFi-61E (settings) set default-voip-alg-mode kernel-helper-based

FortiWiFi-61E (settings) end

Note:

It is necessary to clear all of the sessions for port 5060 (clearing 5060 session will drop all of the active calls passing through FortiGate).

FortiWiFi-61E # diag sys session filter  clear

FortiWiFi-61E # diag sys session filter dport 5060

FortiWiFi-61E # diag sys session clear

FortiWiFi-61E # diag sys session filter  clear

FortiWiFi-61E # diag sys session filter sport 5060

FortiWiFi-61E # diag sys session clear

To clear the session for source and destination as well: 

di sys session filter cl
di sys session filter src 192.168.x.x
di sys session cl
di sys session filter cl
di sys session filter dst 192.168.x.x
di sys session cl

Make sure to restart the Phone system as well while making these changes.