Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theonlyVishay
New Contributor

SIP RTP Pinhole Issues No Audio - Need Help

SIP RTP Pinhole Issues No Audio - Need Help Folks!!

I am having a SIP/RTP issue. I am about to make to have the phone rings but now audio.. (RTP?)

 

I run the following command from the external vdom:

  • diagnose debug reset
    diagnose debug flow filter saddr 216.115.22.117 (Vonage server)
    diagnose debug flow show iprope enable
    diagnose debug enable
    diagnose debug flow trace start 60

I get the following.. It is hitting policy 0 (cleanup policy).. It looks like fortinet is not opening PinHoles.

 

id=20085 trace_id=4002 func=print_pkt_detail line=5878 msg="vd-NGFWAB01:0 received a packet(proto=17, 216.115.22.117:28124->MYPUBLICIP(REDACTED):11816) tun_id=0.0.0.0 from internal5. "
id=20085 trace_id=4002 func=init_ip_session_common line=6050 msg="allocate a new session-028b2f32, tun_id=0.0.0.0"
id=20085 trace_id=4002 func=iprope_dnat_check line=5316 msg="in-[internal5], out-[]"
id=20085 trace_id=4002 func=iprope_dnat_tree_check line=823 msg="len=0"
id=20085 trace_id=4002 func=iprope_dnat_check line=5329 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=4002 func=vf_ip_route_input_common line=2606 msg="find a route: flag=80000000 gw-206.136.79.67 via NGFWAB01"
id=20085 trace_id=4002 func=iprope_access_proxy_check line=439 msg="in-[internal5], out-[], skb_flags-02000000, vid-0"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100017, check-5f0289e4"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=iprope_in_check line=472 msg="in-[internal5], out-[], skb_flags-02000000, vid-0"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100011, check-5f029bb0"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100001, check-5f0289e4"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-10000e, check-5f0289e4"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=4002 func=__iprope_check line=2291 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-10000f, check-5f0289e4"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=4002 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=20085 trace_id=4002 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"

 

 

I have the following vdoms:

  • Global
  • External
    • A policy allowing the phones to reach the internet/PBX Server
    • NAT is enabled.
    • I do not have any SIP profiles.
  • Internal
    • A policy allowing the phones to reach external vdom

My SIP config:

EXTERNAL(EXTERNAL) # config system settings

EXTERNAL(settings) # show
config system settings
   set sip-expectation enable
   set h323-direct-model enable
   set default-voip-alg-mode kernel-helper-based
   set gui-voip-profile enable
end

 

EXTERNAL(EXTERNAL) # config voip profile

EXTERNAL(profile) # edit default

EXTERNAL(default) # show
config voip profile
   edit "default"
      set comment "Default VoIP profile."
      config sip
         set status disable
      end
   next
end

 

FGTAB01 (global) # config system session-helper

FGTAB01 (session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
edit 13
set name sip
set protocol 17
set port 5060
next
end

 

My theory is that when the phones connect using SIP to the PBX server, it does not create Pinholes for the RTP audio to come back and be allowed because I can see the RTP being dropped by policy 0 above.

 

PLEASE HELLLPP :) 

 

1 REPLY 1
gfleming
Staff
Staff

You have created three topics for the same issue. I have responded to one with a possible solution, please review:

https://community.fortinet.com/t5/Support-Forum/SIP-RTP-Pinhole-Issues-No-Audio-help-me/m-p/239717/h...

Cheers,
Graham
Labels
Top Kudoed Authors