Multi-site setup. Main site has an ASA 5506, site b has a 60F, site C has an ASA 5506.
Ever since adding the 60F into the mix we have had problems with internal calling. All sites used to be 5506.
The phone server is at the Main site.
IPSec tunnels are built between all sites.
At Site B regular inbound/outbound calling works and extension calls to the Main site work.
Extension calls at Site B do not work, there is no audio. A user at Site B dials another user at Site B the phone rings but there is no audio either way.
The same problem happens when Site B tries to call a user at Site C, phone rings, no audio.
I tried disabling all SIP inspection on the 60F but that did not help.
Created a basic traffic shaping policy for RTP but that also did not help.
What am I missing?
There's typically two sessions you need allow access for on a VOIP call: the setup and the payload. The setup is typically done using something like SIP (UDP 5060) and the RTP payload is typically UDP high random ports. Are you by any chance only allowing SIP UDP 5060 on your policy and not the other traffic?
It's also odd that calls between phones at Site B do not work. Are they on the same subnet the two phones? If so it's unlikely the firewall is getting in the way there...
Created on 01-25-2023 08:57 AM Edited on 01-27-2023 07:47 AM
One thing you can try is to check if the 60F firewall is blocking the RTP traffic. RTP is the protocol used for carrying audio in VoIP calls. Make sure the 60F firewall is configured to allow RTP traffic between all sites.
Another thing you can check is if the problem is with the phone server. Make sure the phone server is configured correctly and that it can reach all the sites.
It's worth noting that free calls service like freetring.com may be an alternative solution for you as well.
Let me know if you need more help or have any other questions.
Thanks for the input.
The tunnel policies are set to allow all traffic so in theory whether it is SIP or RTP it should be going through. And the LAN to LAN policy is set to allow all as well.
All the phones at site b are on the same subnet but they do have to reach out to the phone server at the main site to complete the call. I confirmed this with a packet capture. When I dial an extension at site b I see packets from the phone I'm using hit the phone server and then packets from the phone server go back to the phone I'm trying to call. When I pick up the call there is no more traffic to see. It's really strange.
I'm currently working with the phone vendor on this as well to see if some call mapping is miss-configured on their end.
Thanks
Josh
Yeah that sounds really strange. Normal for setup traffic to go to the server but RTP should be from phone to phone. Can you do a packet capture at the switchport of the phone at site B and see if it's sending any RTP packets at all?
What method did you use to disable SIP inspection on the 60F and what FOS version are you on?
I'll attempt a packet capture at the port, but based on the original pcap there was no RTP traffic at all.
FOS is latest, 7.2.1. I used the following commands to disable SIP inspection.
config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
Locate SIP entry in session-helper list and remove it
config system session-helper
show
Look for the entry SIP (normally 13) SIP, If found enter the below command
delete 13
end
Next disable processing of the RTP Protocol
config voip profile
edit default
config sip
set rtp disable
end
end
Created on 09-13-2022 02:47 PM Edited on 09-13-2022 02:48 PM
Since you are on 7.2 can you try creating a VOIP profile and assigning this to the policy that takes care of your voice traffic. In the CLI disable SCCP and SIP for the VOIP profile. Not sure if this will help but it might.
Also, can you clarify if the traffic between phones at Site B goes through the firewall. You mention a lan-to-lan policy. How are you ensuring phones are sending traffic to the firewall for local traffic on the same subnet?
https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/7.2.1/cli-reference/529620/config-voip-profile
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.