Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎10-07-2010 04:06 PM

Sip INVITE headers being modified

Hi everyone, I' m breaking my head trying to figure this out. I have a Fortigate 60B and it seems to be modifying parts of the SIP Headers. I tried disabling " sip-helper" and " sip-nat-trace" but it does not seem to be helping. I also ensured that there is no protection profile on the firewall rule. The specific headers that I' m talking about are the " From" " Contact" and " Anonymity" headers. My provider (flowroute.com) claims that they sent the packet looking like this and anything missing must be being stripped out by my Firewall: INVITE sip:************@************** SIP/2.0. Record-Route: <sip:70.167.153.130;lr>. Record-Route: <sip:216.115.69.142;lr>. Via: SIP/2.0/UDP 70.167.153.130;branch=z9hG4bK73c3.e613564d11025903295c92119be9b271.0. Via: SIP/2.0/UDP 216.115.69.131;branch=z9hG4bK73c3.883356619b22bdd3d8c07c5ecf0503bc.0. Via: SIP/2.0/UDP 216.115.69.142;branch=z9hG4bK73c3.3d845433f085edc1e0ede5538e244ce9.0. Via: SIP/2.0/UDP 4.55.14.163:5060;branch=z9hG4bK05B640b19b831a7f023. From: " Private" <sip:+**************@4.55.14.163:5060;isup-oli=62>;tag=gK05565c95. To: <sip:***************@216.115.69.142:5060>. Call-ID: 1342517982_39619543@4.55.14.163. CSeq: 4659 INVITE. Max-Forwards: 14. P-Asserted-Identity: <sip:+***************@pstn>. Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed. Contact: " Private" <sip:+***************@4.55.14.163:5060>. Anonymity: name. Content-Length: 228. Content-Type: application/sdp. . v=0. o=- 18884 1819 IN IP4 4.55.14.130. s=-. c=IN IP4 4.55.14.130. t=0 0. m=audio 7796 RTP/AVP 0 18 101. a=rtpmap:18 G729/8000. a=fmtp:18 annexb=no. a=rtpmap:101 telephone-event/8000. a=fmtp:101 0-15. a=ptime:20. a=maxptime:20. I am receiving it on the PBX looking like: Notice that the parts in bold above are stripped from the INVITE INVITE sip:************@************** SIP/2.0. Record-Route: <sip:70.167.153.130;lr>. Record-Route: <sip:216.115.69.142;lr>. Via: SIP/2.0/UDP 70.167.153.130;branch=z9hG4bK73c3.e613564d11025903295c92119be9b271.0. Via: SIP/2.0/UDP 216.115.69.131;branch=z9hG4bK73c3.883356619b22bdd3d8c07c5ecf0503bc.0. Via: SIP/2.0/UDP 216.115.69.142;branch=z9hG4bK73c3.3d845433f085edc1e0ede5538e244ce9.0. Via: SIP/2.0/UDP 4.55.14.163:5060;branch=z9hG4bK05B640b19b831a7f023. From: <sip:+**************@4.55.14.163:5060;isup-oli=62>;tag=gK05565c95. To: <sip:***************@216.115.69.142:5060>. Call-ID: 1342517982_39619543@4.55.14.163. CSeq: 4659 INVITE. Max-Forwards: 14. P-Asserted-Identity: <sip:+***************@pstn>. Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed. Contact: <sip:+***************@4.55.14.163:5060>. Content-Length: 228. Content-Type: application/sdp. . v=0. o=- 18884 1819 IN IP4 4.55.14.130. s=-. c=IN IP4 4.55.14.130. t=0 0. m=audio 7796 RTP/AVP 0 18 101. a=rtpmap:18 G729/8000. a=fmtp:18 annexb=no. a=rtpmap:101 telephone-event/8000. a=fmtp:101 0-15. a=ptime:20. a=maxptime:20. If anyone can help me figure this out it would be greatly appreciated. Thank You
7276
0 Kudos
10 REPLIES 10
lmuir
New Contributor

Created on ‎10-07-2010 06:07 PM

If there' s no protection profile and the SIP session helper is removed, then I don' t see what could be modifying the headers. Does using the SIP ALG help?
3976
0 Kudos
Not applicable
In response to lmuir

Created on ‎10-10-2010 08:49 AM

I tried with and without the SIP ALG enabled in the protection profile and there was no change.
3976
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-07-2010 08:17 PM

If you want to compare pre& post firewall processing of your SIP invite, why don' t you setup a packet monitor and capture the packets upstream and downstream of the fortigate. Unless you have some type or proxy going on, then nothing should be changed in the SIP invite. Also are you sure your not being subject to any SIP attacks or forgery(spoof) ? This is UDP , so anything is possible. I would do the capture and based on what you find, & go from that point.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3976
0 Kudos
Not applicable
In response to emnoc

Created on ‎10-10-2010 08:50 AM

Yup I think this what I' m gonna have to do, but I' m not gonna be at the physical location for a couple of days so its gonna have to wait
3976
0 Kudos
g3rman
New Contributor

Created on ‎10-08-2010 08:56 AM

Also take a look at this: config system settings set sip-helper disable end from http://firewallguru.blogspot.com/2008/03/sip-and-h323.html
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
3976
0 Kudos
Not applicable
In response to g3rman

Created on ‎10-10-2010 08:51 AM

Yup I have those settings disabled. Still having issues
3976
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎10-10-2010 11:32 PM

Maybe I' m misunderstanding this, but for sniffing you don' t have to be on site. Open 2 ssh sessions to the external interface (enable ssh access for this on wan1). If possible let the ssh client copy the output to a file. Enter 
diag sniffer packet internal ' sip and host x.y.z.t'  4
in one session and 
diag sniffer packet wan1 ' sip and host x.y.z.t'  4
in the other. Then make a call. Compare and post here the (same) packet on internal and wan1 interface.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3976
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎10-11-2010 03:23 AM

ORIGINAL: ede_pfau Maybe I' m misunderstanding this, but for sniffing you don' t have to be on site. Open 2 ssh sessions to the external interface (enable ssh access for this on wan1). If possible let the ssh client copy the output to a file. Enter 
diag sniffer packet internal ' sip and host x.y.z.t'  4
in one session and 
diag sniffer packet internal ' sip and host x.y.z.t'  4
in the other. Then make a call. Compare and post here the (same) packet on internal and wan1 interface.
Maybe should be ' WAN1' ?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3976
0 Kudos
Not applicable
In response to ede_pfau

Created on ‎10-11-2010 12:16 PM

diag sniffer packet wan1 ' sip and host x.y.z.t' 4
Thanks a ton!! I did not know about that. Just one correction the command should be... diag sniffer packet internal ' sip and host x.y.z.t' 5 if you want to see the actual packet data. The good news is that the packets are being received by the fortigate with the data missing so it seems like something on my providers end. Either way thanks a bunch for helping me out.
3976
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.