Menu Close

Problem with a VoIP phone behind NAT – disabling FortiGate SIP ALG

Initial state and observed problems

Observed problems

We had observed a problem, where a SIP phone is registering, but the AOR record indicates, that as a Contact IP address the incorrect and strange private IP address is used. As is shown on following listing:

voip*CLI> pjsip show aor 1765
   Aor:  <Aor..............................................>  <MaxContact>
     Contact:     
   Aor:  1765                                                 1 Contact:  1765/sip:1765@10.16.42.46:65476              f123d14d1c NonQual         nan
 ParameterName        : ParameterValue
  =================================================
  authenticate_qualify : false
  contact              : sip:1765@10.16.42.46:65476
  default_expiration   : 7200
  mailboxes            :
  max_contacts         : 1
  maximum_expiration   : 7200
  minimum_expiration   : 60
  outbound_proxy       :
  qualify_frequency    : 0
  qualify_timeout      : 3.000000
  remove_existing      : true
  support_path         : false
  voicemail_extension  :

This cause a problem, where incoming phone calls (call on 1765 number) are not reaching the SIP phone. We had tried to solve the situations on the phone only modifying its NAT configuration and using STUN, but with no success. Then we setup the lab with two Cisco NAT to simulate the topo. It works perfectly. This indicate on a problem with the Fortigate firewall. Several posts indicates that it could be the SIP ALG problem, which is on Fortigate devices turned on by default and it modifies SIP messages.

Topology

The topology is simple. It includes a SIP VoIP phone (Sipura Linksys/Cisco) plugged in a LAN of home network. LAN is behind a local Fortigate firewall, which performs NAT (to a ISP net address space). The ISP is using NAT as well, so the SIP call have to traverse through several NAT devices. The phone is registering on our Asterisk VoIP PBX.

Devices and software entities

My environment includes:

  • VoIP phone: Sipura Linkys/Cisco SPA hw VoIP phone
  • Fortigate firewall: FortiWiFI 30D with 5.6 FortiOS
  • VoIP PBX: Asterisk 16.2.1 VoIP SIP PBX using PJSIP SIP module with a NAT support configured

Some resources to learn something (as I’m a fortigate newbie):

Solution

Well, first of all, backup your firewall config.

Step 1) Disable SIP ALG inspection

Run following commands:

config system settings
set sip-helper disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

Now we will change the default VoIP profile, where we will disable SIP and RTP processing:

config voip profile 
  edit default 
  config sip 
    set status disable 
    set rtp disable 
    end 
  end 

Step 2) Remove session helper

Go to:

config system session-helper
show

and scroll down, where we need to find the edit entry for SIP. In our case it is number 13 (it can be different),

--More--                  set protocol 6
        set port 1863
    next
    edit 11
        set name pmap
        set protocol 6
        set port 111
    next
    edit 12
        set name pmap
        set protocol 17
        set port 111
    next
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
    edit 14
        set name dns-udp
        set protocol 17
        set port 53
    next
    edit 15
--More--  

Delete it:

delete 13
end

Step 3) Clear session information

Now we need to clear session information

diagnose sys session clear

or reboot a firewall

execute reboot
The system will be rebooted.
Do you want to continue? (y/n)

and restart/reboot SIP phone (or wait till the registration expire).

Step 4) Final check on asterisk

The aor record should be changed and it should show your public IP address:

voip*CLI> pjsip show aor 1765
   Aor:  <Aor..............................................>  <MaxContact>
     Contact:     
   Aor:  1765                                                 1 Contact:  1765/sip:1765@87.244.204.168:65476           f123d14d1c NonQual         nan
 ParameterName        : ParameterValue
  ====================================================
  authenticate_qualify : false
  contact              : sip:1765@YOUR_PUBLIC_IP_ADDRESS:65476
  default_expiration   : 7200
  mailboxes            :
  max_contacts         : 1
  maximum_expiration   : 7200
  minimum_expiration   : 60
  outbound_proxy       :
  qualify_frequency    : 0
  qualify_timeout      : 3.000000
  remove_existing      : true
  support_path         : false
  voicemail_extension  :
Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.