| Description |
This article describes how SIP ALG processes VoIP traffic and why one-way audio issues may occur. |
| Scope | VoIP with FortiGate. |
| Solution |
SIP ALG translates SIP and SDP parameters when the packet is sent to the SIP provider. Some SIP providers recommend disabling SIP ALG (and all SIP inspection). Fortinet recommends against it. If SIP inspection on the FortiGate is disabled, then only the SIP provider can assist with troubleshooting problems with the SIP calls, as FortiGate is no longer responsible for handling such traffic.
SIP ALG is required: Both sides send Connection Information (c=IN) to establish an RTP/Audio session. If a private IP is sent in the connection information, RTP traffic on the private IP will fail.
When SIP ALG is enabled (default), the Firewall will perform layer 7 Translation on the private IP in the SDP header to a public IP (this is expected and recommended).
The issues arise when the phones or the local PBX are already configured to send the Public IP in c=IN, meaning the firewall translates that IP as well when SIP ALG is enabled.
In these cases:
Or:
Or:
Disabling SDP translation while keeping SIP ALG enabled:
config voip profile edit "Disable-SDP" config sip end
Apply the above settings on a VOIP inspection profile applied to the policy using SIP-ALG to disable rewrite of SDP only (C and M lines). Note: The SIP provider will recommend actions regarding SIP ALG. However, the choice belongs to the customer.
The firewall uses SIP ALG when:
Changing the inspection mode (sip session-helper OR SIP ALG):
config system setting set default-voip-alg-mode [proxy-based | kernel-helper-based] end
Run the following command on FortiGate to verify if the calls are being processed by SIP ALG. If there is no output, traffic is not processed by SIP ALG.
diag sys sip-proxy call list sip calls
Related article: Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG.
Below are examples of sample packets altered by SIP ALG:
Packet capture on an inside interface:
Frame 44: 863 bytes on wire (6904 bits), 863 bytes captured (6904 bits) Status-Line: SIP/2.0 200 OK Message Header Message Body Session Description Protocol Session Description Protocol Version (v): 0 Owner/Creator, Session Id (o): Mitel-5000-ICP 172382904 1638985328 IN IP4 10.10.10.155 Session Name (s): SIP Call Connection Information (c): IN IP4 10.10.10.155 Time Description, active time (t): 0 0 Media Description, name and address (m): audio 6080 RTP/AVP 0
Packet capture on an outside interface:
Frame 38: 872 bytes on wire (6976 bits), 872 bytes captured (6976 bits) Status-Line: SIP/2.0 200 OK Message Header Message Body Session Description Protocol Session Description Protocol Version (v): 0 To disable SIP ALG, check this article and consider the implications. Then, run the following configuration on the FortiGate:
FortiWiFi-61E # config sys settings FortiWiFi-61E (settings) set default-voip-alg-mode kernel-helper-based FortiWiFi-61E (settings) end
Note: It is necessary to clear all of the sessions for port 5060 (clearing 5060 sessions will drop all of the active calls passing through FortiGate).
FortiWiFi-61E # diag sys session filter clear FortiWiFi-61E # diag sys session filter dport 5060 FortiWiFi-61E # diag sys session clear
FortiWiFi-61E # diag sys session filter clear FortiWiFi-61E # diag sys session filter sport 5060 FortiWiFi-61E # diag sys session clear
To clear the session for source and destination as well:
di sys session filter cl
Make sure to restart the Phone system as well while making these changes.
|
