There's typically two sessions you need allow access for on a VOIP call: the setup and the payload. The setup is typically done using something like SIP (UDP 5060) and the RTP payload is typically UDP high random ports. Are you by any chance only allowing SIP UDP 5060 on your policy and not the other traffic?
It's also odd that calls between phones at Site B do not work. Are they on the same subnet the two phones? If so it's unlikely the firewall is getting in the way there...
One thing you can try is to check if the 60F firewall is blocking the RTP traffic. RTP is the protocol used for carrying audio in VoIP calls. Make sure the 60F firewall is configured to allow RTP traffic between all sites. Another thing you can check is if the problem is with the phone server. Make sure the phone server is configured correctly and that it can reach all the sites. It's worth noting that free calls service like freetring.com may be an alternative solution for you as well. Let me know if you need more help or have any other questions.
The tunnel policies are set to allow all traffic so in theory whether it is SIP or RTP it should be going through. And the LAN to LAN policy is set to allow all as well.
All the phones at site b are on the same subnet but they do have to reach out to the phone server at the main site to complete the call. I confirmed this with a packet capture. When I dial an extension at site b I see packets from the phone I'm using hit the phone server and then packets from the phone server go back to the phone I'm trying to call. When I pick up the call there is no more traffic to see. It's really strange.
I'm currently working with the phone vendor on this as well to see if some call mapping is miss-configured on their end.
Yeah that sounds really strange. Normal for setup traffic to go to the server but RTP should be from phone to phone. Can you do a packet capture at the switchport of the phone at site B and see if it's sending any RTP packets at all?
Since you are on 7.2 can you try creating a VOIP profile and assigning this to the policy that takes care of your voice traffic. In the CLI disable SCCP and SIP for the VOIP profile. Not sure if this will help but it might.
Also, can you clarify if the traffic between phones at Site B goes through the firewall. You mention a lan-to-lan policy. How are you ensuring phones are sending traffic to the firewall for local traffic on the same subnet?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.