Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNovice
New Contributor

FortiGate 81F and Yealink VoIP phones random SIP registration issues

We have a Fortigate 81F, with FortiOS 6.4.8, newly installed; currently the configuration is fairly loose, for troubleshooting issues.

We have Yealink T4x phones, connecting to SkySwitch, our cloud provider. For reference, here is there requirements.

https://docs.skyswitch.com/en/articles/37-ip-addresses-ports

 

We are having sporadic, highly random processes where individual phones will fail to register. I have created a policy allowing traffic on these ports (all services for now) out of our internal LAN (currently, the phones are on the primary LAN with no VLANs). I have also made the following changes:

 

  • Ensured DNS filter and IPS was disabled (this seemed to cause issues)
  • Deleted the SIP Helper
  • Set SIP-ALG to kernel--helper-based instead of proxy-based
  • Set sip-helper disable
  • Set sip-nat-trace disable
  • Disabled RTP in the VoIP profile

This has lessened the issue, but has not resolved the issue.  Oddly enough, resetting one of the Yealink phones to factory will fix its registration issues for a time, but they can come back.  I contacted Fortinet support, and they demonstrated the traffic appears to get through, but I have not had this issue until we switched from an Untangle U150 firewal to the Fortigate, and I don't know where else to point.

 

I have several packet captures of phones booting up that I could supply on request.  If anyone could provide suggestions or assist, I'd greatly appreciate it.

 

 

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor II

The usual suspect for this kind of symptom is SIP session helper or ALG. But you already disabled both. Then I would try capturing packets at the outbound interface when a phone goes off-line. The phones and the server must be exchanging packets periodically to confirm they're still there, or changed IP or moved the location. Something must go wrong when they get unregistered.

I think that's the start to troubleshoot.

 

Toshi

Vando_Pereira

Hello,

 

In case you are using PPP interface, do a packet capture and see if the TSL server hello leng is bigger than the fortigate MTU.

 

I had a case where the server was sending the server helo with 1506 length. and the fortigate had only 1500 MTU.

 

So just do :

config firewall policy
    edit <policy id>
         set tcp-mss-sender <mss value>
         set tcp-mss-receiver <mss value>
end
 
This should work.
 
Best regards,
Vando Pereira

 

As you think, so shall you become.