Initial state and observed problems
Observed problems
We had observed a problem, where a SIP phone is registering, but the AOR record indicates, that as a Contact IP address the incorrect and strange private IP address is used. As is shown on following listing:
voip*CLI> pjsip show aor 1765Aor: <Aor..............................................> <MaxContact>
Contact:Aor: 1765 1 Contact: 1765/sip:1765@10.16.42.46:65476 f123d14d1c NonQual nan
ParameterName : ParameterValue ================================================= authenticate_qualify : false contact : sip:1765@10.16.42.46:65476 default_expiration : 7200 mailboxes : max_contacts : 1 maximum_expiration : 7200 minimum_expiration : 60 outbound_proxy : qualify_frequency : 0 qualify_timeout : 3.000000 remove_existing : true support_path : false voicemail_extension :
This cause a problem, where incoming phone calls (call on 1765 number) are not reaching the SIP phone. We had tried to solve the situations on the phone only modifying its NAT configuration and using STUN, but with no success. Then we setup the lab with two Cisco NAT to simulate the topo. It works perfectly. This indicate on a problem with the Fortigate firewall. Several posts indicates that it could be the SIP ALG problem, which is on Fortigate devices turned on by default and it modifies SIP messages.
Topology
The topology is simple. It includes a SIP VoIP phone (Sipura Linksys/Cisco) plugged in a LAN of home network. LAN is behind a local Fortigate firewall, which performs NAT (to a ISP net address space). The ISP is using NAT as well, so the SIP call have to traverse through several NAT devices. The phone is registering on our Asterisk VoIP PBX.
Devices and software entities
My environment includes:
- VoIP phone: Sipura Linkys/Cisco SPA hw VoIP phone
- Fortigate firewall: FortiWiFI 30D with 5.6 FortiOS
- VoIP PBX: Asterisk 16.2.1 VoIP SIP PBX using PJSIP SIP module with a NAT support configured
Some resources to learn something (as I’m a fortigate newbie):
- https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/intro.htm
- https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/ALG-NAT.htm
Solution
Well, first of all, backup your firewall config.
Step 1) Disable SIP ALG inspection
Run following commands:
config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
Now we will change the default VoIP profile, where we will disable SIP and RTP processing:
config voip profile
edit default
config sip
set status disable
set rtp disable
end
end
Step 2) Remove session helper
Go to:
config system session-helper
show
and scroll down, where we need to find the edit entry for SIP. In our case it is number 13 (it can be different),
--More-- set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
--More--
Delete it:
delete 13
end
Step 3) Clear session information
Now we need to clear session information
diagnose sys session clear
or reboot a firewall
execute reboot
The system will be rebooted.
Do you want to continue? (y/n)
and restart/reboot SIP phone (or wait till the registration expire).
Step 4) Final check on asterisk
The aor record should be changed and it should show your public IP address:
voip*CLI> pjsip show aor 1765Aor: <Aor..............................................> <MaxContact>
Contact:Aor: 1765 1 Contact: 1765/sip:1765@87.244.204.168:65476 f123d14d1c NonQual nan
ParameterName : ParameterValue ==================================================== authenticate_qualify : false contact : sip:1765@YOUR_PUBLIC_IP_ADDRESS:65476 default_expiration : 7200 mailboxes : max_contacts : 1 maximum_expiration : 7200 minimum_expiration : 60 outbound_proxy : qualify_frequency : 0 qualify_timeout : 3.000000 remove_existing : true support_path : false voicemail_extension :