Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
New Contributor II

VoiP Packet Loss

Hello,

 

this is new, like for one week we have problems with voip in our central FG 300D cluster. From other offices with other FGs we didnt get any reports of problems while calling.

 

First we tried to route the traffic with another route and internet access but we got the same problems. Capturing with Wireshark the connections we didnt see any package loss but our provider sent us some package loss samples where there are like 8% package loss.

 

We didnt change anything in the FG policies so we really dont know what can cause the problem. Since we only have it on our central FW, it seems that the problem is there.

 

Any suggestions?

 

Thanks!

 

19 REPLIES 19
distillednetwork
New Contributor III

You could run a packet capture on the ingress and the egress (internal and external) interfaces of your FG300D and see if you can identify any packet loss on either interface.  If it's on both, then the problem is between the VoIP client and the firewall.  If are you losing packets on the egress but not the ingress then you may have an issue with packets being dropped in the fortigate.

RolandBaumgaertner72

Hi,

 

thanks...still completely in the dark. We never had problems with these conections and also we dont have issues in the other FGs offices.

 

> checked the interfaces and they are all OK (diag hardware deviceinfo nic portX)

> checked if SIP ALG is on (diag sys sip status) but I dont get why it should affect now.

> we did package capture from the host to the FG via the MPLS (we got like 2% Package loss)

> we did package capture from WAN port to the Voip IP (we did not get pakacge loss but the provider sent us data with 8% package loss from his WAN to our public IP.

 

So we are not sure if the problem is with micro disconnections on the MPLS conection from all small office to the FG300D Cluster.

 

What else can we try? Disable SIP ALG (can we do it without starting all sessions new? Could it affect all the telefon traffic?)

 

Thanks again!

gfleming

SIP ALG will not cause packet loss.

 

If you are having packet loss even after switching your ISP paths.

 

If your provider is showing packet loss but you yourself are not seeing any on two different links then the problem exists upstream either at your provider or an intermediary.

Cheers,
Graham
RolandBaumgaertner72

Hey Graham,

 

Voip issues are a nightmare. I do the packages captures in the web gui and it only lets me do 10.000 packages and we get them like in 1 min and so I really cant say. 

 

The Voip provider sent us a grafic for the last 3 hours and from our WAN IP to them we have like 8% package loss. Also users are telling us, that sometimes in the calls, tehy dont hear the other site for like 2-3 seconds.

 

FG Support suggested disactivating SIP ALG but I dont know if this brings us forward...also we would have the problem to restart the fw cluster in short time because of the sessiones and we jaut have remote access.

 

So basically I just see one thing we can do and that is SIP ALG deact....or?

 

Thanks!  

gfleming

What is the topology here? What is the path that the VOIP traffic is taking from the phone all the way to the SIP provider? 

Cheers,
Graham
RolandBaumgaertner72

There are 2 scenarios:


A) branches with FG firewall where the Voip Traffic is routed directly to the Voip provider >>> NO PROBLEMS

 

B) smaller branches who have MPLS connection to main FG Firewall in our data center, incomming traffic via MPLS and than we route with 2 different Internet Access....both of them with the same result of 2-8% package loss. This situation is like 3-4 weeks old, before we never had any problems and also we dodnt change anything on routing, actualizations, policies, etc.

 

Thanks!

gfleming

The fact this problem occurred without you making any changes means it’s likely not a problem on your FortiGate.

 

are you sure your internet links that route to the SIP provider are not overloaded?

 

is there anyway you can route a test phone from the main site out one of the smaller sites and see how it behaves?

 

to me it still sounds like the issue exists upstream from your FortiGate either the wan links are overloaded or there is an issue routing to/from your SIP provider.

 

can you try using the MTR tool and getting output to your sip provider and see if you see any loss in the hops between you and them?

 

https://www.bitwizard.nl/mtr

Cheers,
Graham
RolandBaumgaertner72

Hello Graham,

 

thanks for your information. My udpates:

> we left tickets for the MPLS provider to check the MPLS connection and also the 2 WAN Interfaces on the FG cluster from the data center. We asked them also to deep check connections, traceroutes, etc.

> we have confirmation from almost all small offices that these problems occur between the same hour a day, always from 11AM to 1 PM.

> we are still waiting if it makes sense disabling SIP ALG on the FG.

 

Any other ideas? You think we should give it a try with the SIP ALG?

 

Thanks!

distillednetwork

have you looked at any traffic patterns or system utilization for that time frame?  Maybe you could create traffic shaping policies to prioritize and guarantee the voip traffic.