- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- No voip connections from branch fortigate.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No voip connections from branch fortigate.
Hello,
I have such problem, after connecting new branch office with voip phones and voip gateway, users cannot call anymore. The call is established but the caller cannot be heard. The traffic from branch is routed to HQ fortigate. What seems strange to me is that the voip log in central fortigate, shows calls from the remote voip gateway as if they were calls from the local fortigate (127.0.0.1), the source address of the call from the remote voip gateway is not preserved:
Source: 192.12.0.6 (branch voip gateway) CALL ID: 53c80ff47a4440b0440f86045f462391@127.0.0.1
Source: 192.10.0.6 (local voip gateway) CALL ID: 5578e64444cf493767dac34c3cd50aa7@127.0.0.1
Labels:
- Labels:
-
FortiGate
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that is showing the central FGT is acting as SIP ALG and proxying/terminating the SIP leg so you see FGT's localhost IP there.
Can you explain better your topology?
Who is calling who? Where are they?
How many FortiGates is that call leg passing through?
Do you have policies allowing the VOIP traffic?
Is it just allowing SIP ports or also RTP ports?
Do you have any DNAT/SNAT enabled for the VOIP traffic?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1.Branch: voip vlan (hera are phones)--> vlan server where is voip PBX located --->ipsec tunnel (central fortigate) here is doing NAT applied --->internet
2.the call is initiated from voip vlan on the branch fortigate
3. two fortigates are involved the branch and the HQ where is internet access
4. yes I have policies allowing from voip vlan to server vlan with UDP/TCP 5060 where voip PBX is located and second policy from server vlan to HQ fortigate with SIP 5060 ports.
Then on HG policy to allow internet connection from branch voip pbx to internet.
5.I have only allowed udp/tcp 5060 how to enable RTP I don't see anything like that in services.
6.I don't have any DSTNAT policies nor snat policies.
On the branch I had before Mikrotik router, now after installed there Fortigate device I have such problem.
As I said call is established but in one way only, I can't hear the caller.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So these calls are going out from your HQ FortiGate to some VOIP provider on the internet? These are not local calls?
If so you probably need to set up your VOIP ALG settings a bit. Depending on your VOIP provider you may need to disable strict register. Read this page for some good background info and more details:
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/809/sip-pinholes
You also most likely need to define your external interface on the HQ FortiGate so it can do the HNAT traversal. More info here:
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i think your issue is you aren't allowing RTP packets here. SIP UDP/5060 is used for signalling and call set up during which ports are agreed upon to use for RTP which carries the voice traffic. RTP is generally done anywhere on UDP port range 16000-32766. Depends on VOIP implementation so it might be safe to just allow all UDP to/from phones VLAN to other phones and other systems that terminate phone calls.
Cheers,
Graham
Graham
Created on 02-12-2023 01:03 AM Edited on 02-12-2023 01:09 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On HQ Fortigate where voip calls are working I have such Firewall Policies:
1. voip vlan--->vlan with voip pbx, Port UDP/TCP 5060
2.vlan with voip pbx ----> sip provider on internet, port tcp 5525, UDP 1190-1445, TCP/UDP 5060
3.vlan with branch voip pbx--->sip provider on internet, port tcp 5525, UDP 1190-1445, TCP/UDP 5060
I don't use any voip profile on any firewall policies.
On Branch (voips are not working):
1. voip vlan--->vlan with voip pbx, Port UDP/TCP 5060
2.vlan with voip pbx ----> SD-WAN ZOne to HQ, port tcp 5525, UDP 1190-1445, TCP/UDP 5060
here also I don't use any voip profiles.
I remember to get working DNS and Fortiguard service on branch, I had to specify in CLI to use SDWAN interface, maybe this is routing problem and VOIP have also such settings to use SDWAN?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is confusing. Why do you have a VLAN with VOIP PBX on both your HQ FGT and Branch FGT?
And remember, most times RTP traffic will terminate between the IP Phone and the remote phone or SIP server, not the internal PBX. Sometimes the internal PBX can act as a proxy for RTP traffic but it is rare.
Best thing to troubleshoot this for now would be to do a packet capture for the Branch phone and figure out:
1. Where is the RTP traffic going?
2. What ports is the RTP traffic using?
3. If you want, open up all your policies in the path to allow ALL UDP traffic and see if it works.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get from sip operator that they use 5060 TCP/UDP and RTP 10000-20000, so I have added UDP Ports range 10000-20000 from phones to pbx and from pbx to sdwan and then to internet - still no any change.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remember what I said about RTP paths: most often it is established direclty between SIP endpoints (and not the PBX). Please ensure UDP/10000-20000 is allowed between the phones and the VOIP provider (both ways).
And also the best thing you could do is get a packet capture going so we can see exactly what's wrong.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have log enabled on implicit deny firewall policy at the bottom, and all the time I look at the forward logs on Branch:
-to/from vlan voip phones
-to/from pbx vlan
On Hub Fortigate:
-to/from internet facing cloud sip provider.
And nothing is on blocked/denied if if any ports were missing after all it would be visible.
Related Posts
- fortigate ipsec s2s VPN with starlink... 426 Views
- Unable to connect to JPIX's V6... 232 Views
- Novice Needing Help Setting Up FortiGate... 216 Views
- Buy second hand Fortigate 8xE 174 Views
- WAN DNS 245 Views
Labels
-
FortiGate
6,620 -
FortiClient
1,319 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
249 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
104 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
74 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
18 -
ZTNA
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.