| Description |
This article describes how SIP ALG processes VoIP traffic and how it may one-way audio issues. |
| Scope | VoIP with FortiGate. |
| Solution |
SIP ALG translates SIP and SDP parameters when the packet is sent to the SIP provider. Most SIP providers recommend disabling SIP ALG.
Why SIP ALG is required:
Both sides send Connection Information (c=IN) to establish an RTP/Audio session. If a private IP is sent in the connection information, RTP traffic on the private IP will fail.
If SIP ALG is enabled, the Firewall will perform layer 7 Translation to translate the private IP in SDP to a public IP (in this case, SIP ALG is recommended).
An issue arises when phones or the PBX are already configured to send the Public IP in c=IN, meaning the firewall translates that IP as well when SIP ALG is enabled.
In these cases, disable SIP ALG to disable Layer 7 translation.
Note: The SIP provider will confirm whether SIP ALG needs to be enabled or disabled.
The firewall uses SIP ALG when:
- SIP traffic matches a firewall policy with the VoIP profile. SIP ALG is always used, regardless of the default-voip-alg-mode setting. - Traffic does not match a policy with a VoIP profile and VoIP mode is set to proxy-based.
FortiGate uses SIP ALG, depending on the configuration. By default, SIP ALG is enabled ('set default-voip-alg-mode proxy-based').
Setting the VoIP Mode:
# config system setting set default-voip-alg-mode [proxy-based | kernel-helper-based] end
Run the following command on FortiGate to verify if the traffic is being processed by SIP ALG.
If there is no output, traffic is not processed by SIP ALG.
# diag sys sip-proxy call list sip calls
Another way to verify if the traffic is being processed by SIP ALG is to take packet captures for an SIP call on the inside and outside interfaces, then verify the 'Connection Information' in the SDP header of the packet captures (search for SIP/SDP in the protocol field).
Check for the IP and Audio/RTP port. Connection information changing (IP/Port changing) will be visible if the traffic is processed by SIP ALG.
Below are examples of sample packets:
Packet capture on an inside interface:
Frame 44: 863 bytes on wire (6904 bits), 863 bytes captured (6904 bits) Status-Line: SIP/2.0 200 OK Message Header Message Body Session Description Protocol Session Description Protocol Version (v): 0 Owner/Creator, Session Id (o): Mitel-5000-ICP 172382904 1638985328 IN IP4 10.10.10.155 Session Name (s): SIP Call Connection Information (c): IN IP4 10.10.10.155 Time Description, active time (t): 0 0 Media Description, name and address (m): audio 6080 RTP/AVP 0
Packet capture on an outside interface:
Frame 38: 872 bytes on wire (6976 bits), 872 bytes captured (6976 bits) Status-Line: SIP/2.0 200 OK Message Header Message Body Session Description Protocol Session Description Protocol Version (v): 0 To disable SIP ALG, see this article and consider the implications. Then, run the following configuration on the FortiGate:
FortiWiFi-61E # config sys settings FortiWiFi-61E (settings) set default-voip-alg-mode kernel-helper-based FortiWiFi-61E (settings) end
Note: It is necessary to clear all of the sessions for port 5060 (clearing 5060 session will drop all of the active calls passing through FortiGate).
FortiWiFi-61E # diag sys session filter clear FortiWiFi-61E # diag sys session filter dport 5060 FortiWiFi-61E # diag sys session clear
FortiWiFi-61E # diag sys session filter clear FortiWiFi-61E # diag sys session filter sport 5060 FortiWiFi-61E # diag sys session clear |
