Troubleshooting Tip: SIP UDP INVITE packets dropped when the SIP ALG and the hyperscale are enabled on NP7 platforms

yzayani · ‎11-19-2025

Description

This article describes an issue where SIP UDP INVITE packets are dropped when SIP ALG (proxy-based) and Hyperscale full-offload are enabled on NP7. The behavior is caused by IPv6 fragmentation and NP7 Maximum Transmission Unit-handling logic, leading to packet drops before reaching the kernel.

Scope

FortiGate.

Solution

SIP UDP traffic is dropped only when SIP ALG (proxy-based) and Hyperscale are both enabled.

The issue applies to all NP7 platforms.

Fails with SIP UDP, Works with SIP TCP, Works with SIP UDP with ALG disabled.

The drop occurs at the NP level, before the packet reaches the kernel.

config system settings
set policy-offload-level full-offload
set sip-nat-trace disable
set gui-advanced-policy enable
end

SIP ALG is enabled by default. SIP signaling uses IPv6, media line uses IPv4, ICE/crypto/rtcp-mux present.

Scenario 1: UDP + SIP ALG + Hyperscale -> Non-Working.

INVITE packets in MCC capture (GI_UDP_run4) do not appear in NP7 capture (Inside_3_SIP_IPv6_UDP_fail). Kernel capture also contains no INVITE packets and confirms a drop in NP7.

All dropped packets correspond to fragmented INVITEs.

Scenario 2: TCP + SIP ALG + Hyperscale -> Working.

Debug shows all SIP TCP segments arriving. No reassembly anomalies. It matches end-to-end signaling.

Debug proves no packets were dropped in transit.

Scenario 3: UDP + SIP ALG disabled + session-helper -> Working.

The same can be observed when we turn off the ALG completely and use the Session helper.

SIP via UDP is functioning correctly.

The observed fragmentation behavior is:

SIP INVITE is a packet split into 3 fragments, around 1232 bytes.
Path Maximum Transmission Unit becomes 1280 bytes for the flow (IPv6 minimum Path Maximum Transmission Unit).
After Datagram Fragmentation Reassembly, NP7 without Path Maximum Transmission Unit, and only remembers 1280.
Reassembled packet = 2980 bytes -> exceeds Path Maximum Transmission Unit -> NP7 Maximum Transmission Unit check fails.

Root Cause:

When INVITE fragments are reassembled by NP7’s Datagram Fragmentation Reassembly, the original Path Maximum Transmission Unit information is not preserved.
Path Maximum Transmission Unit defaults to 1280 bytes (IPv6 minimum).
SIP ALG installs a trap session in NP7.
FortiOS Driver recognizes the trap session and drops the packet instead of forwarding it to the kernel.
The driver reassembles the packet, sends it to NP7, the Maximum Transmission Unit exception occurs, and the driver drops the packet due to a trap-session match.

In all cases, INVITE fragments are dropped before reaching kernel-level SIP ALG logic.

Workarounds:

Disable SIP ALG: SIP session helper bypasses the SIP ALG trap path.

config system settings
set default-voip-alg-mode kernel-helper-based
end

Treat SIP as normal UDP: Delete SIP custom service so ALG does not engage.

config firewall service custom
delete SIP
end

Long-term Solution:

Update the FortiOS to v7.6.5:

Preserving.
Path Maximum Transmission Unit after Datagram Fragmentation Reassembly.
If Datagram Fragmentation Reassembly reassembles a packet that hits the trap session. The NP7 forwards to the driver, the driver matches the FortiOS session, and delivers it to the kernel.
If the driver reassembles a packet, the driver performs session lookup immediately, which forwards to the kernel directly, preventing NP7 Maximum Transmission Unit exceptions.

In FortiOS v7.6.5, INVITE fragments are properly reassembled and delivered to the SIP ALG kernel logic.

Troubleshooting Tip: SIP UDP INVITE packets dropped when the SIP ALG and the hyperscale are enabled on NP7 platforms

You are leaving our website