I create a client VPN for forticlient and Ios.
There are the right policy to reach my lan from VPN an from LAN to VPN.
In my LAN I deployed a PBX with SIP on port 5061.
When I connect from internet to my network with VPNc all service work but no softphone is able to connect to PBX.
In fortiguard, filtering by IP, I can see all the sessions open from VPNc to LAN. All sessions use the correct policy.
The session on port 5061 uses a different policy and it does not have anything to do with it (different Interface, another P2P VPN).
You can see in the attached image the wrong policy. The row is the only row without Source Interface...
Any suggestion?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have a proper set of route&policy toward VPNs? One way policy generally work for mobile applications like server/service remote accesses but not for phone services.
You keep on saying you have the right policy, have you ran cli diag debug flow and against one of your phone devices to confirm ?
Ken
PCNSE
NSE
StrongSwan
There are policies, there are the right routes...
I think the problem is in session helper...
id=20085 trace_id=41 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=17, 172.16.100.100:5061->192.168.2.88:5061) from XDN_FC_0. "
id=20085 trace_id=41 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-06726330, original direction"
id=20085 trace_id=41 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.2.88 via wan1"
id=20085 trace_id=41 func=__ip_session_run_tuple line=2956 msg="run helper-sip(dir=original)"
I set up protocol SIP on 5060 port. I don't know if I have to set or I can set another SIP protocol in session helper...
Graziano.
If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:
toshiesumi wrote:If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:
Phones are connected to VPN. But I experiment problems only with 5061. With 5060 no problem. Now I activate CHAN_PJSIP in Asterisk on 5060 for softphone in the mobile phone and all works like a charm...
5060 OK
5061 wrong policy...
My pbx goes via VOIP in internet throught 5060.
Session helper is enable.
ok, then it's not just turning on/off helper. As emnoc/Ken suggested, you need to debug much into the detail w/ diag debug flow. At this moment, I suggest you open a ticket with TAC and get help from them. It's more than Forum can help without seeing/touching actual configuration and unit.
So do os a favor review the SIP session helper details
config system session-helper
show | grep -i -C 5 sip
Can you provide us that detail? And then do a test and modify it to 5061 and test? Do you know why they are using 5061 and no 5060 for SIP control-channel?
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.