Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JcvnStdn
New Contributor II

3CX VoIP issues - Resolved...

{Forti OS 7.0.2}

One Way Audio, Scratchy Voice and missing voice issues.

Recently provisioned a new 3CX server and installed a new 60F Fortinet onsite for a customer. I setup all the usual forwarding rules and it PASSED the 3CX Firewall checker. At this point the customer was experiencing quite a lot of one-way audio and scratchy voice calls. Almost every forum says only disable SIP ALG but it didn’t help, after a week of digging and consulting with other SME’s I found a solution that worked. I applied it to 3 sites, and all are now operational.

 

Creating a VIP -

Go to Policy & Objects > Virtual IPs > Create New

Fill out the information accordingly for each port required (note you can specify interface)

JcvnStdn_0-1637886502240.png

 

Once you’re done add all the created VIP’s to a Group -

JcvnStdn_1-1637886502245.png

 

Create a Service

Go to Policy & Objects > Services and create a new Service and Specify your 3CX Server

JcvnStdn_2-1637886502249.png

Create a VoIP priority shaper

Go to Policy & Objects > Traffic Shapers and create new.
Set Type to Shared.
Set Apply shaper to Per Policy.
Set Traffic Priority to High.
Enable Max Bandwidth and specify your max bandwidth

JcvnStdn_3-1637886502251.png


Enable DSCP with 101110 specified
{DSCP enables a scalable service difference in the IP network without the need for per-flow state and signaling at every hop. Networks can then utilize DSCP shape and tag the traffic to action priority-based queuing. DSCP is a number in the range from decimal value 0 to 63 that is placed into an IP packet to mark it according to the class of traffic it belongs in. The following table defines the relationship between service classes and DSCP markings.}

JcvnStdn_4-1637886502254.png

 

Then go to Policy & Objects > Traffic Shaping Policy and Create New and apply your Service and Shaper.

JcvnStdn_5-1637886502256.png


JcvnStdn_6-1637886502258.png

 

(packet capture shows it is applied)
Go to Dashboard > Users and Devices > click on devices and Create firewall device for each phone

JcvnStdn_7-1637886502260.png

 

Go to Policy & Objects > Firewall Policy Create new, specify your Interfaces & Source, enable NAT and set Preserve Source Port

JcvnStdn_8-1637886502263.png

 

Now create your VIP policy, specify your interfaces and your VIP group & disable NAT.

JcvnStdn_9-1637886502266.png

 

Disable SIP ALG

Edit your Config so Session helper by removing 13, 19 and 20
config system session-helper
delete 13 (find SIP or MCGP)
delete 19 (find SIP or MCGP)
delete 20 (find SIP or MCGP)
end

Then Config System Settings

config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
set sip-nat-trace disable
end
exit

Clear all sessions or Reboot the device

Ideally you need one to one NAT (IP Pool) but if you have only one Public IP it causes a few other issues. So, leave the configs as is and you should be good.

Now after doing the following, I reduced / removed all scratching and no sound issues on the 3CX on-prem system. I have been running and listening to recordings and no issues.

 

I don't know if this is an issue for anyone else. Just thought I'd share.


References
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/Inside.htm
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/459043/configuring-differentiated-servic...
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-traffic-shaping-54/TS_Configuration/...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-VIP-range-for-SNAT-and-static-1-to-1...

 

 

 

 

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
1 Solution
AlexC-FTNT

I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

8 REPLIES 8
AlexC-FTNT
Staff
Staff

NOTE: This topic shows SIP traffic prioritiziation trough DSCP and traffic shaper! It should apply for voice quality issues only (not for missing voice, incomplete calls, or one-way audio)

This gives a nice example of implemeting shapers and DSCP, but is NOT a setup guide or official KB for configuring SIP traffic over FortiGate! 
Disabling SIP-ALG and/or deleting SIP session-helper is NOT the first thing to do, and surely not the only thing to take from this article, when voice quality is degraded.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
JcvnStdn
New Contributor II

I understand the principal, but explain why the issues disappeared after the the changes were made? We have about 35 3CX servers with various clients.

 

We are using Mikrotiks and phasing out and replacing with Fortinets. Issues only started occurring once the Fortinets were installed. And after the changes were made it stopped occurring? 

 

I'm not saying this is gold or perfect but it works at 13 of the sites where this was rolled out. 

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
AlexC-FTNT

I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
JcvnStdn
New Contributor II

Sweet as, but yes, I thought I would share what I did to resolve our issues. Someone else might help someone else else well. 

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
HowellBA

Do you have a suggestion to "Official KB" for those experiencing the same problems, especially one-way audio or missing audio?

JcvnStdn
New Contributor II

There are none, I did also read up on 3CX forums and found that some of the newer updates on the 3cx system causes issues on the media library. So maybe backup your conf or host 3cx offsite.

But I have deployed my solution to about 18 3cx sites and it solved all my issues.

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
HowellBA

I appreciate this thread, unfortunately when I did a first run to implement this it did not go well and my phones lost their network connections and I clearly messed something up (I will try again after business hours). Our 3CX is hosted offsite by a 3rd party vendor.

JcvnStdn
New Contributor II

If the 3CX is hosted offsite you might have to do one to one NAT, do you have more than one Public / Static IP ?

Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Azure, Fortinet, 365, Aruba, Jamaica, Bermuda, Bahama....
Labels
Top Kudoed Authors