SIP RTP Pinhole Issues No Audio - Need Help Folks!!
I am having a SIP/RTP issue. I am about to make to have the phone rings but now audio.. (RTP?)
I run the following command from the external vdom:
I get the following.. It is hitting policy 0 (cleanup policy).. It looks like fortinet is not opening PinHoles.
id=20085 trace_id=4002 func=print_pkt_detail line=5878 msg="vd-NGFWAB01:0 received a packet(proto=17, 216.115.22.117:28124->MYPUBLICIP(REDACTED):11816) tun_id=0.0.0.0 from internal5. "
id=20085 trace_id=4002 func=init_ip_session_common line=6050 msg="allocate a new session-028b2f32, tun_id=0.0.0.0"
id=20085 trace_id=4002 func=iprope_dnat_check line=5316 msg="in-[internal5], out-[]"
id=20085 trace_id=4002 func=iprope_dnat_tree_check line=823 msg="len=0"
id=20085 trace_id=4002 func=iprope_dnat_check line=5329 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=4002 func=vf_ip_route_input_common line=2606 msg="find a route: flag=80000000 gw-206.136.79.67 via NGFWAB01"
id=20085 trace_id=4002 func=iprope_access_proxy_check line=439 msg="in-[internal5], out-[], skb_flags-02000000, vid-0"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100017, check-5f0289e4"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=iprope_in_check line=472 msg="in-[internal5], out-[], skb_flags-02000000, vid-0"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100011, check-5f029bb0"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-100001, check-5f0289e4"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-10000e, check-5f0289e4"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=4002 func=__iprope_check line=2291 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=4002 func=__iprope_check line=2272 msg="gnum-10000f, check-5f0289e4"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=4002 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=4002 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=20085 trace_id=4002 func=iprope_policy_group_check line=4732 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=20085 trace_id=4002 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
I have the following vdoms:
My SIP config:
EXTERNAL(EXTERNAL) # config system settings
EXTERNAL(settings) # show
config system settings
set sip-expectation enable
set h323-direct-model enable
set default-voip-alg-mode kernel-helper-based
set gui-voip-profile enable
end
EXTERNAL(EXTERNAL) # config voip profile
EXTERNAL(profile) # edit default
EXTERNAL(default) # show
config voip profile
edit "default"
set comment "Default VoIP profile."
config sip
set status disable
end
next
end
FGTAB01 (global) # config system session-helper
FGTAB01 (session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
edit 13
set name sip
set protocol 17
set port 5060
next
end
My theory is that when the phones connect using SIP to the PBX server, it does not create Pinholes for the RTP audio to come back and be allowed because I can see the RTP being dropped by policy 0 above.
PLEASE HELLLPP :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You have created three topics for the same issue. I have responded to one with a possible solution, please review:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.