Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theonlyVishay
New Contributor

SIP RTP Pinhole Issues No Audio - help me

SIP RTP Pinhole Issues No Audio - Need Help Folks!!

I am having a SIP/RTP issue. I am about to make to have the phone rings but now audio.. (RTP?)

 

I run the following command from the external vdom:

  • diagnose debug reset
    diagnose debug flow filter saddr 216.115.22.117 (Vonage server)
    diagnose debug flow show iprope enable
    diagnose debug enable
    diagnose debug flow trace start 60

I get the following.. It is hitting policy 0 (cleanup policy).. It looks like fortinet is not opening PinHoles.

 

id=20085 trace_id=4002 func=print_pkt_detail line=5878 msg="vd-external:0 received a packet(proto=17, 216.115.22.117:28124->MYPUBLICIP(REDACTED):11816) tun_id=0.0.0.0 from internal5. "
id=20085 trace_id=4002 func=init_ip_session_common line=6050 msg="allocate a new session-028b2f32, 
id=20085 trace_id=4002 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"

 

I have the following vdoms:

  • Global
  • External
    • A policy allowing the phones to reach the internet/PBX Server
    • NAT is enabled.
    • I do not have any SIP profiles.
  • Internal
    • A policy allowing the phones to reach external vdom

My SIP config:

EXTERNAL(EXTERNAL) # config system settings

EXTERNAL(settings) # show
config system settings
   set sip-expectation enable
   set h323-direct-model enable
   set default-voip-alg-mode kernel-helper-based
   set gui-voip-profile enable
end

 

EXTERNAL(EXTERNAL) # config voip profile

EXTERNAL(profile) # edit default

EXTERNAL(default) # show
config voip profile
   edit "default"
      set comment "Default VoIP profile."
      config sip
         set status disable
      end
   next
end

 

FGTAB01 (global) # config system session-helper

FGTAB01 (session-helper) # show
config system session-helper
edit 13
   set name sip
   set protocol 17
   set port 5060
next
end

 

My theory is that when the phones connect using SIP to the PBX server, it does not create Pinholes for the RTP audio to come back and be allowed because I can see the RTP being dropped by policy 0 above.

 

PLEASE HELLLPP :) 

 

1 REPLY 1
gfleming
Staff
Staff

You need to specify which interface is external and which is internal for the helper to work. 

 

config system interface

  edit "wan"

     set external enable

  next

 edit "lan"

   set internal enable

next

end

Cheers,
Graham
Labels
Top Kudoed Authors