Hello
I'm running site to site vpn with 2 fgt. 90d -> 60c
we're occasionally experiencing bad line quality .
from reading online I understand that the IPSEC has different configurations affecting the overhead used due to encryption etc etc.
Is there a recommended setting for IPSEC tunnel being used for voice only ?
Thank you ,
NC.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Your overhead with IPSEC is not going to make a difference. The traffic egressing the firewall and prioritization of traffic both via the WAN and tunnel-interface is going to be the issue.
let's step back and collect data/statistics
1: Are you seeing any high plos or jitter
2: have you captured any RTP streams for analysis
3: is the problem one-way or two-way
4: Do you have other traffic over the tunnel
5: have you tried and traffic QoS guanrantee with bw guarantee ( disc tagging is useless over the internet btw )
6: have you graph monitor both WAN uplink and tunnel utilization % and are your high ploss/jitter during periods of high utilization
Ken
PCNSE
NSE
StrongSwan
Hi ,
Thank you for your fast reply.
1. what is plos ?
I'll try to use tcpdump + callstats to figure out the jitter and capture some rtp streams.
3. usually the problem is one way e.g. 90d expriences bad call quality but the 60c hears fine.
maybe 60c isn't pushing fast enough and usually when more then 3 persons on the phone on the 60c side.
4. 90d has data + voice with traffic shaping .
60c handles only voice.
5. 90d traffic shaping .
60c is handling voice only so I figured theres no point,
altough I'm using QOS on switch level now to prioritize the voip traffic.
6. could you kindly explain how to go about this ?
Thank you kindly.
NC.
1. what is plos ? I'll try to use tcpdump + callstats to figure out the jitter and capture some rtp streams.
plos = packet lost
3. usually the problem is one way e.g. 90d expriences bad call quality but the 60c hears fine. maybe 60c isn't pushing fast enough and usually when more then 3 persons on the phone on the 60c side.
could be anything from bad paths, no scheduler for EF tagged voice packets, interface drops,etc...
6. could you kindly explain how to go about this ?
tshark/wireshark with the telephony analysis would be a start,
use the dig command to look for interface related issues on both firewalls & all interfaces that VoIP packets crosses
e.g
diag hardware deviceinfo nic wan1 | grep Error
diag hardware deviceinfo nic wan1 | grep Dropp
set a link monitor to monitor the path from FGT90<---> 60 would be a start.
ensure you have no duplex issues
ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.