Hello,
i have a users trying to use sip softphone remotely. When ssl vpn is not connected their calls are connect and no audio problem, BUT when ssl vpn is connected no audio between callers and callee. I found that ssl vpn by default uses TCP but audio uses udp. IS there way to push ssl vpn to allow and route udp also ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No distinction between TCP or UDP for traffic the VPN itself handles. If it's split-tunnel set uip, you must have configured L3 routing with some subnets routed into the tunnel while others follow the local default route. The question is what is the destination/server IP(s) for the VoIP service and where it's routed to when the tunnel is up. If it's coming into the tunnel, it's likely the server/FGT side causing the problem that you need to troubleshoot.
thank you for response, its not split tunnel in our case. the sip server is in public network othe service provider, so remote users has it as public ip to register on their xlite.
I found that sip alg is not disabled on the fortigate , but not sure if disabling it would solve problem...
Any ideas how to troubleshoot next ?
thank you
If the local public IP is the registered IP at the voip server side, and if it's the only IP what would work, if the traffic is routed through the VPN server/FGT, it obviously wouldn't work because the server side sees the FGT's outside/public IP for the source of traffic. For that case "split-tunneling-routing-negate" seems to be the solution. I haven't tired it (didn't have to so far) though.
https://forum.fortinet.com/tm.aspx?m=190576
I thought FGT will do NAT IP:port internal (in my case from ssl vpn subnet ) to IP:port external (of the FGT) statefull NAT and this should keep session up and audio traffic also. But its not working,
We often refer VPNs as tunnels because both sides can exchange packets with internal IPs without referring the public/outside IP of the tunnel. You must have configured a private subnet for SSL VPN, or by default 10.102.somthing, I don't remember. That's the source IP from the client for all traffic including VoIP. No public IP is attached to the packets when they come in the FGT. You can sniff them to see.
[user with vpn and phone] ---[vpn_with_private_ip:port#-----fortigate---NAT---public_ip:port#]---[Internet]--SIP Phone server
So Nat in FGT should keep NAT session open btw private_ip:port and public ip:port , in my case for voice calls also . even if they go to public.
Its like I am connected to ssl vpn right now and still can browse internet google, msn, amazon with my company ip, here NAT FGT can keep my session open and send and receive for me for http and https properly, BUT when it comes to voice it cant.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.