Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Storyteller
New Contributor

SIP over VPN on 5061 and wrong policy used...

I create a client VPN for forticlient and Ios. 

There are the right policy to reach my lan from VPN an from LAN to VPN.

In my LAN I deployed a PBX with SIP on port 5061. 

When I connect from internet to my network with VPNc all service work but no softphone is able to connect to PBX.

In fortiguard, filtering by IP, I can see all the sessions open from VPNc to LAN. All sessions use the correct policy. 

The session on port 5061 uses a different policy and it does not have anything to do with it (different Interface, another P2P VPN).

 

You can see in the attached image the wrong policy. The row is the only row without Source Interface...

Any suggestion?

7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Do you have a proper set of route&policy toward VPNs? One way policy generally work for mobile applications like server/service remote accesses but not for phone services. 

emnoc
Esteemed Contributor III

You keep on saying  you have the right policy, have you ran cli diag debug flow and against one of your phone devices to  confirm ?

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Storyteller

There are policies, there are the right routes...

I think the problem is in session helper...

 

id=20085 trace_id=41 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=17, 172.16.100.100:5061->192.168.2.88:5061) from XDN_FC_0. "

id=20085 trace_id=41 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-06726330, original direction"

id=20085 trace_id=41 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-192.168.2.88 via wan1"

id=20085 trace_id=41 func=__ip_session_run_tuple line=2956 msg="run helper-sip(dir=original)"

 

I set up protocol SIP on 5060 port. I don't know if I have to set or I can set another SIP protocol in session helper...

 

Graziano.

Toshi_Esumi

If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36405&sliceId=1...

 

Storyteller

toshiesumi wrote:

If phones are connected via VPNs, session helper/SIP ALG is not needed and regularly mishandles RTP ports. We had to do that for our customers by following below:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36405&sliceId=1...

 

Phones are connected to VPN. But I experiment problems only with 5061. With 5060 no problem. Now I activate CHAN_PJSIP in Asterisk on 5060 for softphone in the mobile phone and all works like a charm...

5060 OK

5061 wrong policy...

 

My pbx goes via VOIP in internet throught 5060.

 

Session helper is enable.

Toshi_Esumi

ok, then it's not just turning on/off helper. As emnoc/Ken suggested, you need to debug much into the detail w/ diag debug flow. At this moment, I suggest you open a ticket with TAC and get help from them. It's more than Forum can help without seeing/touching actual configuration and unit.

emnoc
Esteemed Contributor III

So do os a favor  review the SIP session helper details

 

config system session-helper

   show | grep -i -C 5 sip

 

Can you provide us that detail? And then do a test and modify it to 5061 and test? Do you know why they are using  5061 and no 5060 for  SIP control-channel?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors