{Forti OS 7.0.2}
One Way Audio, Scratchy Voice and missing voice issues.
Recently provisioned a new 3CX server and installed a new 60F Fortinet onsite for a customer. I setup all the usual forwarding rules and it PASSED the 3CX Firewall checker. At this point the customer was experiencing quite a lot of one-way audio and scratchy voice calls. Almost every forum says only disable SIP ALG but it didn’t help, after a week of digging and consulting with other SME’s I found a solution that worked. I applied it to 3 sites, and all are now operational.
Creating a VIP -
Go to Policy & Objects > Virtual IPs > Create New
Fill out the information accordingly for each port required (note you can specify interface)
Once you’re done add all the created VIP’s to a Group -
Create a Service
Go to Policy & Objects > Services and create a new Service and Specify your 3CX Server
Create a VoIP priority shaper
Go to Policy & Objects > Traffic Shapers and create new.
Set Type to Shared.
Set Apply shaper to Per Policy.
Set Traffic Priority to High.
Enable Max Bandwidth and specify your max bandwidth
Enable DSCP with 101110 specified
{DSCP enables a scalable service difference in the IP network without the need for per-flow state and signaling at every hop. Networks can then utilize DSCP shape and tag the traffic to action priority-based queuing. DSCP is a number in the range from decimal value 0 to 63 that is placed into an IP packet to mark it according to the class of traffic it belongs in. The following table defines the relationship between service classes and DSCP markings.}
Then go to Policy & Objects > Traffic Shaping Policy and Create New and apply your Service and Shaper.
(packet capture shows it is applied)
Go to Dashboard > Users and Devices > click on devices and Create firewall device for each phone
Go to Policy & Objects > Firewall Policy Create new, specify your Interfaces & Source, enable NAT and set Preserve Source Port
Now create your VIP policy, specify your interfaces and your VIP group & disable NAT.
Disable SIP ALG
Edit your Config so Session helper by removing 13, 19 and 20
config system session-helper
delete 13 (find SIP or MCGP)
delete 19 (find SIP or MCGP)
delete 20 (find SIP or MCGP)
end
Then Config System Settings
config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
set sip-nat-trace disable
end
exit
Clear all sessions or Reboot the device
Ideally you need one to one NAT (IP Pool) but if you have only one Public IP it causes a few other issues. So, leave the configs as is and you should be good.
Now after doing the following, I reduced / removed all scratching and no sound issues on the 3CX on-prem system. I have been running and listening to recordings and no issues.
I don't know if this is an issue for anyone else. Just thought I'd share.
References
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/Inside.htm
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/459043/configuring-differentiated-servic...
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-traffic-shaping-54/TS_Configuration/...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-VIP-range-for-SNAT-and-static-1-to-1...
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).
NOTE: This topic shows SIP traffic prioritiziation trough DSCP and traffic shaper! It should apply for voice quality issues only (not for missing voice, incomplete calls, or one-way audio)
This gives a nice example of implemeting shapers and DSCP, but is NOT a setup guide or official KB for configuring SIP traffic over FortiGate!
Disabling SIP-ALG and/or deleting SIP session-helper is NOT the first thing to do, and surely not the only thing to take from this article, when voice quality is degraded.
I understand the principal, but explain why the issues disappeared after the the changes were made? We have about 35 3CX servers with various clients.
We are using Mikrotiks and phasing out and replacing with Fortinets. Issues only started occurring once the Fortinets were installed. And after the changes were made it stopped occurring?
I'm not saying this is gold or perfect but it works at 13 of the sites where this was rolled out.
I actually thought you know what you have configured and what traffic prioritization means (Traffic shaper / Differentiated Services Code Point). This is why the audio quality improved, and not because of the SIP inspection performed. That is another issue you had, for another discussion.
It is important not to mix the two, because the fix can be easily confused as well (and already happened in reference to this article).
Sweet as, but yes, I thought I would share what I did to resolve our issues. Someone else might help someone else else well.
Do you have a suggestion to "Official KB" for those experiencing the same problems, especially one-way audio or missing audio?
There are none, I did also read up on 3CX forums and found that some of the newer updates on the 3cx system causes issues on the media library. So maybe backup your conf or host 3cx offsite.
But I have deployed my solution to about 18 3cx sites and it solved all my issues.
I appreciate this thread, unfortunately when I did a first run to implement this it did not go well and my phones lost their network connections and I clearly messed something up (I will try again after business hours). Our 3CX is hosted offsite by a 3rd party vendor.
If the 3CX is hosted offsite you might have to do one to one NAT, do you have more than one Public / Static IP ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.