Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cosentustech
New Contributor

No audio on internal calls

Multi-site setup. Main site has an ASA 5506, site b has a 60F, site C has an ASA 5506.

Ever since adding the 60F into the mix we have had problems with internal calling. All sites used to be 5506.

The phone server is at the Main site.

IPSec tunnels are built between all sites.

At Site B regular inbound/outbound calling works and extension calls to the Main site work.

Extension calls at Site B do not work, there is no audio. A user at Site B dials another user at Site B the phone rings but there is no audio either way.

The same problem happens when Site B tries to call a user at Site C, phone rings, no audio.

I tried disabling all SIP inspection on the 60F but that did not help.

Created a basic traffic shaping policy for RTP but that also did not help.

What am I missing?

 

7 REPLIES 7
gfleming
Staff
Staff

There's typically two sessions you need allow access for on a VOIP call: the setup and the payload. The setup is typically done using something like SIP (UDP 5060) and the RTP payload is typically UDP high random ports. Are you by any chance only allowing SIP UDP 5060 on your policy and not the other traffic?

 

It's also odd that calls between phones at Site B do not work. Are they on the same subnet the two phones? If so it's unlikely the firewall is getting in the way there...

Cheers,
Graham
JamyBalys

One thing you can try is to check if the 60F firewall is blocking the RTP traffic. RTP is the protocol used for carrying audio in VoIP calls. Make sure the 60F firewall is configured to allow RTP traffic between all sites.
Another thing you can check is if the problem is with the phone server. Make sure the phone server is configured correctly and that it can reach all the sites.
It's worth noting that free calls service like freetring.com may be an alternative solution for you as well.
Let me know if you need more help or have any other questions.

cosentustech
New Contributor

 

Thanks for the input.

 

The tunnel policies are set to allow all traffic so in theory whether it is SIP or RTP it should be going through. And the LAN to LAN policy is set to allow all as well.

 

All the phones at site b are on the same subnet but they do have to reach out to the phone server at the main site to complete the call. I confirmed this with a packet capture. When I dial an extension at site b I see packets from the phone I'm using hit the phone server and then packets from the phone server go back to the phone I'm trying to call. When I pick up the call there is no more traffic to see. It's really strange.

 

I'm currently working with the phone vendor on this as well to see if some call mapping is miss-configured on their end.

 

Thanks

Josh

gfleming

Yeah that sounds really strange. Normal for setup traffic to go to the server but RTP should be from phone to phone. Can you do a packet capture at the switchport of the phone at site B and see if it's sending any RTP packets at all?

Cheers,
Graham
gfleming

What method did you use to disable SIP inspection on the 60F and what FOS version are you on?

Cheers,
Graham
cosentustech

I'll attempt a packet capture at the port, but based on the original pcap there was no RTP traffic at all.

FOS is latest, 7.2.1. I used the following commands to disable SIP inspection.

config system settings

set sip-expectation disable

set sip-nat-trace disable

set default-voip-alg-mode kernel-helper-based

end

Locate SIP entry in session-helper list and remove it

config system session-helper

show

Look for the entry SIP (normally 13) SIP, If found enter the below command

delete 13

end

Next disable processing of the RTP Protocol

config voip profile

edit default

config sip

set rtp disable

end

end

 

gfleming

Since you are on 7.2 can you try creating a VOIP profile and assigning this to the policy that takes care of your voice traffic. In the CLI disable SCCP and SIP for the VOIP profile. Not sure if this will help but it might.

 

Also, can you clarify if the traffic between phones at Site B goes through the firewall. You mention a lan-to-lan policy. How are you ensuring phones are sending traffic to the firewall for local traffic on the same subnet?

 

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/858887/voip-solutions

 

https://docs.fortinet.com/document/fortigate/7.2.1/cli-reference/529620/config-voip-profile

Cheers,
Graham
Labels
Top Kudoed Authors