Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hector_Miranda
New Contributor

IP SoftPhone via IPSec VPN

Hello,
I am the networks administrator in a medium-sized company in Chile. We have a core of Cisco switches, a wired network and a wireless network, in addition to two Fortinet FortiGate 100E firewalls (FortiOS version v6.0.5 build0268 (GA)) and two dedicated Internet links.
We have an Alcatel-Lucent OmniPCX PBX, with software version 3EH30556DFAA ONECL030/058.001
Until a few months ago we had four Call Center operators working within the LAN, using the IPSoftPhone v12.1.1.0 software configured in HTTPS+TFTP mode for connection to the PBX.
Now, the company has decided that those four Call Center operators work remotely from their homes. For that, connectivity via VPN was defined in an IPSec tunnel through the FortiGate firewalls. With this, the remote users can connect to the LAN via VPN, but the IPSoftPhone is not able to complete the registration in the PBX. When running the application, it tries several times to register but finally aborts due to timeout.
I made a capture of the traffic with Wireshark and verified that there are repeated attempts by the PBX to send three files via TFTP, but they fail to reach their destination.

We have two policies defined, one for ingress and one for egress traffic and have tried with NAT enabled and with NAT disabled. No success.
Any help or advice you can give me to get to the solution of this problem will be welcome.

Hector

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hola Hector,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Hector_Miranda
New Contributor

I will be tremendously grateful...

Debbie_FTNT

Hey Hector,

 

from your description, it sounds a bit as if the FortiGate IPSec may be interfering - perhaps there are fragmentation issues or something of the sort?

I would suggest the following:

 

- take a packet capture at both ends of the tunnel and compare what goes into the tunnel vs what comes out of it; is there any packet loss?

- on the FortiGate, you can check if disabling the SIP session helper helps; it might interfere unexpectedly

-> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-VoIP-Inspection/ta-p/194131

If you don't notice any obvious traffic issues, and testing various configuration with the SIP ALG/Session helper does not resolve your issue, I would suggest opening a ticket with Fortinet Technical Support for some more in-depth troubleshooting, in particular to verify if the issue is caused by FortiGate/IPSec tunnel or if something else is going on.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
MissEverly
New Contributor

Have you checked if the necessary ports for TFTP are allowed through the IPSec tunnel and firewalls? It's worth verifying the firewall rules and ensuring that TFTP traffic is permitted between the remote users and the PBX. Also, double-check the PBX's TFTP server settings and ensure they align with the remote users' configuration. If the issue persists, contacting Alcatel-Lucent support or consulting with a network specialist might provide further insights. Or you should try using a white label softphone and see how it works. Best of luck in resolving the problem!

Top Kudoed Authors