We had observed a problem, where a SIP phone is registering, but the AOR record indicates, that as a Contact IP address the incorrect and strange private IP address is used. As is shown on following listing:<\/p>\n\n\n\n
voip*CLI> pjsip show aor 1765\n Aor: <Aor..............................................> <MaxContact><\/code>\n Contact: \n Aor: 1765 1 Contact: 1765\/sip:1765@10.16.42.46:65476 f123d14d1c NonQual nan<\/code>\n ParameterName : ParameterValue\n =================================================\n authenticate_qualify : false\n contact : sip:1765@10.16.42.46:65476<\/strong>\n default_expiration : 7200\n mailboxes :\n max_contacts : 1\n maximum_expiration : 7200\n minimum_expiration : 60\n outbound_proxy :\n qualify_frequency : 0\n qualify_timeout : 3.000000\n remove_existing : true\n support_path : false\n voicemail_extension :<\/pre>\n\n\n\nThis cause a problem, where incoming phone calls (call on 1765 number) are not reaching the SIP phone. We had tried to solve the situations on the phone only modifying its NAT configuration and using STUN, but with no success. Then we setup the lab with two Cisco NAT to simulate the topo. It works perfectly. This indicate on a problem with the Fortigate firewall. Several posts indicates that it could be the SIP ALG problem, which is on Fortigate devices turned on<\/strong> by default and it modifies SIP messages. <\/p>\n\n\n\nTopology<\/h3>\n\n\n\n
The topology is simple. It includes a SIP VoIP phone (Sipura Linksys\/Cisco) plugged in a LAN of home network. LAN is behind a local Fortigate firewall, which performs NAT (to a ISP net address space). The ISP is using NAT as well, so the SIP call have to traverse through several NAT devices. The phone is registering on our Asterisk VoIP PBX.<\/p>\n\n\n\n
Devices and software entities<\/h3>\n\n\n\n
My environment includes: <\/p>\n\n\n\n
- VoIP phone: Sipura Linkys\/Cisco SPA hw VoIP phone<\/li>
- Fortigate firewall: FortiWiFI 30D with 5.6 FortiOS<\/li>
- VoIP PBX: Asterisk 16.2.1 VoIP SIP PBX using PJSIP SIP module with a NAT support configured<\/li><\/ul>\n\n\n\n
Some resources to learn something (as I’m a fortigate newbie):<\/p>\n\n\n\n
- https:\/\/help.fortinet.com\/fos50hlp\/56\/Content\/FortiOS\/fortigate-voip-guide\/intro.htm<\/a> <\/li>
- https:\/\/help.fortinet.com\/fos50hlp\/56\/Content\/FortiOS\/fortigate-voip-guide\/ALG-NAT.htm<\/a><\/li><\/ul>\n\n\n\n
Solution<\/h2>\n\n\n\n
Well, first of all, backup your firewall config.<\/p>\n\n\n\n
Step 1) Disable SIP ALG inspection<\/h3>\n\n\n\n
Run following commands:<\/p>\n\n\n\n
config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end<\/pre>\n\n\n\nNow we will change the default VoIP profile, where we will disable SIP and RTP processing:<\/p>\n\n\n\n
config voip profile \n edit default \n config sip \n set status disable \n set rtp disable \n end \n end <\/code><\/pre>\n\n\n\nStep 2) Remove session helper <\/h3>\n\n\n\n
Go to:<\/p>\n\n\n\n
config system session-helper\nshow<\/code><\/pre>\n\n\n\nand scroll down, where we need to find the edit entry for SIP. In our case it is number 13 (it can be different), <\/p>\n\n\n\n
--More-- set protocol 6\n set port 1863\n next\n edit 11\n set name pmap\n set protocol 6\n set port 111\n next\n edit 12\n set name pmap\n set protocol 17\n set port 111\n next\n edit 13\n set name sip\n set protocol 17\n set port 5060\n next\n edit 14\n set name dns-udp\n set protocol 17\n set port 53\n next\n edit 15\n--More-- <\/code><\/pre>\n\n\n\nDelete it:<\/p>\n\n\n\n
delete 13\nend<\/code><\/pre>\n\n\n\nStep 3) Clear session information<\/h3>\n\n\n\n
Now we need to clear session information <\/p>\n\n\n\n
diagnose sys session clear<\/code><\/pre>\n\n\n\nor reboot a firewall <\/p>\n\n\n\n
execute reboot\nThe system will be rebooted.\nDo you want to continue? (y\/n)<\/code><\/pre>\n\n\n\nand restart\/reboot SIP phone (or wait till the registration expire).<\/p>\n\n\n\n
Step 4) Final check on asterisk<\/h3>\n\n\n\n
The aor record<\/strong> should be changed and it should show your public IP address:<\/p>\n\n\n\nvoip*CLI> pjsip show aor 1765\n Aor: <Aor..............................................> <MaxContact><\/code>\n Contact: \n Aor: 1765 1 Contact: 1765\/sip:1765@87.244.204.168:65476 f123d14d1c NonQual nan<\/code>\n ParameterName : ParameterValue\n ====================================================\n authenticate_qualify : false\n contact : sip:1765@YOUR_PUBLIC_IP_ADDRESS<\/strong>:65476\n default_expiration : 7200\n mailboxes :\n max_contacts : 1\n maximum_expiration : 7200\n minimum_expiration : 60\n outbound_proxy :\n qualify_frequency : 0\n qualify_timeout : 3.000000\n remove_existing : true\n support_path : false\n voicemail_extension :<\/pre>","protected":false},"excerpt":{"rendered":"Initial state and observed problems Observed problems We had observed a problem, where a SIP phone is registering, but the AOR record indicates, that as a Contact IP address the incorrect and strange private IP address is used. As is shown on following listing: voip*CLI> pjsip show aor 1765 Aor: <Aor……………………………………….> <MaxContact> Contact: Aor: 1765…<\/p>","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[777,1144,783,1047,771,803],"tags":[1049,1180,941],"class_list":["post-4701","post","type-post","status-publish","format-standard","hentry","category-asterisk-en","category-fortigate","category-nat-fw","category-practical-fortinet","category-sip-en","category-sip-ua","tag-fortigate","tag-nat","tag-sip"],"taxonomy_info":{"category":[{"value":777,"label":"Asterisk"},{"value":1144,"label":"Fortigate"},{"value":783,"label":"NAT, FW"},{"value":1047,"label":"Practical \u2013 Fortinet"},{"value":771,"label":"SIP"},{"value":803,"label":"SIP UA"}],"post_tag":[{"value":1049,"label":"Fortigate"},{"value":1180,"label":"NAT"},{"value":941,"label":"sip"}]},"featured_image_src_large":false,"author_info":{"display_name":"palo73","author_link":"https:\/\/nil.uniza.sk\/en\/author\/palo73\/"},"comment_info":22,"category_info":[{"term_id":777,"name":"Asterisk","slug":"asterisk-en","term_group":0,"term_taxonomy_id":775,"taxonomy":"category","description":"","parent":771,"count":3,"filter":"raw","cat_ID":777,"category_count":3,"category_description":"","cat_name":"Asterisk","category_nicename":"asterisk-en","category_parent":771},{"term_id":1144,"name":"Fortigate","slug":"fortigate","term_group":0,"term_taxonomy_id":1142,"taxonomy":"category","description":"About Fortigate","parent":1047,"count":2,"filter":"raw","cat_ID":1144,"category_count":2,"category_description":"About Fortigate","cat_name":"Fortigate","category_nicename":"fortigate","category_parent":1047},{"term_id":783,"name":"NAT, FW","slug":"nat-fw","term_group":0,"term_taxonomy_id":781,"taxonomy":"category","description":"","parent":771,"count":5,"filter":"raw","cat_ID":783,"category_count":5,"category_description":"","cat_name":"NAT, FW","category_nicename":"nat-fw","category_parent":771},{"term_id":1047,"name":"Practical \u2013 Fortinet","slug":"practical-fortinet","term_group":0,"term_taxonomy_id":1045,"taxonomy":"category","description":"","parent":0,"count":2,"filter":"raw","cat_ID":1047,"category_count":2,"category_description":"","cat_name":"Practical \u2013 Fortinet","category_nicename":"practical-fortinet","category_parent":0},{"term_id":771,"name":"SIP","slug":"sip-en","term_group":0,"term_taxonomy_id":769,"taxonomy":"category","description":"","parent":0,"count":23,"filter":"raw","cat_ID":771,"category_count":23,"category_description":"","cat_name":"SIP","category_nicename":"sip-en","category_parent":0},{"term_id":803,"name":"SIP UA","slug":"sip-ua","term_group":0,"term_taxonomy_id":801,"taxonomy":"category","description":"","parent":771,"count":10,"filter":"raw","cat_ID":803,"category_count":10,"category_description":"","cat_name":"SIP UA","category_nicename":"sip-ua","category_parent":771}],"tag_info":[{"term_id":1049,"name":"Fortigate","slug":"fortigate","term_group":0,"term_taxonomy_id":1047,"taxonomy":"post_tag","description":"","parent":0,"count":2,"filter":"raw"},{"term_id":1180,"name":"NAT","slug":"nat","term_group":0,"term_taxonomy_id":1178,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":941,"name":"sip","slug":"sip","term_group":0,"term_taxonomy_id":939,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/4701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=4701"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/4701\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=4701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=4701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=4701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}