Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DACOBELLNKWETA
New Contributor

TWO WAY AUDIO COMMUNICATIONS PROBLEM (Blank calls)

Hello i Am trying to set up VOIP communications between two operators using Fortigate 600E on one side and FG3200D on the other side. i have succeeded to create an IPSEC tunnel between both firewalls , SIP and Media connectivity has been set between the SBCs of both operators passing through the IPSEC tunnel , SBC are responsible for the SIP and Media communications , during the test ones i initiate the call , SIP sessions is established phone rings well but there is no audio on both directions, i have disable SIP inspections and also SIP-ALG yet still no audio 

 

what can be the issue please and how do i solve this

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello DACOBELLNKWETA,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
ede_pfau
Esteemed Contributor III

hi,

 

this is a typical situation when configuring VoIP.

SIP is unicast TCP so with the right policy you'll get the dialing OK.

 

Voice OTOH is UDP across some randomly selected port (like 40000-59999). Years ago, the solution then was to just open 20.000 ports from WAN to PBX...no need for this hazard if you use Fortigates!

The way it works in FortiOS is:

- the FGT sniffs/reads the SIP negotiation traffic in which the RTP port (for voice) is exchanged. Then, exactly this single port is opened dynamically for this RTP session only. After hangup, the UDP port is closed.

 

So, the FGT needs a means to sniff the traffic. By default, this is the SIP session helper. The other tool available is a VoIP profile. If you have deleted the session helper (which is quite popular, maybe because it's so easy to do), then you will need to create a VoIP profile and use it in the VoIP policy.

Worked every time in my configs.

 

HTH.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
sw2090
Honored Contributor

hm I use a sip phone at homeoffice that connects to our office via sip and I never needed those things. Dialling worked from the spot over my ipsec s2s and voice worked when I enabled the phone in my homoffice subnet to reach the opposite subnet because voice at sip always is a direct point-to-point connection.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Yurisk
Valued Contributor

In that case (removing SIP-ALG not helping), the SIP debug is due, to see what is going on. I, for example, do disable SIP helpers/SIP-ALG as need arises, but AFTER I run debug and see that SIP/RTP traffic is being blocked by Forti (yes, it happens even today with new like 7.0.x versions). 

 

diagnose debug application sip -1

diagnose debug enable

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors