Troubleshooting Remote Extensions and VoIP Providers Using the 3CX Firewall Checker

Introduction to the 3CX Firewall Checker

The 3CX Firewall Checker is a tool which can be used to check that your router or firewall allows network traffic with VoIP Providers, Bridges, External Extensions and 3CXTunnel connections. A supported 3CX Phone System configuration requires that all the necessary ports are forwarded one-on-one into the LAN towards the 3CX Phone system machine. Anything less than that and it is considered as an unsupported configuration. We will use a simple example to demonstrate the use of the 3CXFirewall checker further on.

For this example to work we will make some assumptions:

  1. The 3CX Phone System machine has an IP address of “” and that the test is for port “9500”.
  2. The Public IP address for your WAN port on your WAN-to-LAN device is “” (External IP address).

Port Forwarding information

Basically, for a port to be correctly forwarded to the 3CX Phone System machine, any UDP packet that originates from the PBX machine and therefore has, in its Ethernet headers, the “source IP::Port” reading “”, must reach its final destination (typically a VoIP Provider service, a remote extension, or a bridged PBX) with the Ethernet “source IP::Port” headers reading “”. So in essence, even though the IP Address needs to be translated (so that the traffic can be routed across the Internet Cloud), the port must NOT be translated. Furthermore, any UDP packet that originates from the WAN with Ethernet headers “destination IP::Port” reading “”, must reach the 3CX Phone System machine with the Ethernet “destination IP::Port” headers reading “”.

The 3CX Firewall Checker can be used to determine if port mappings are configured correctly and will also provide additional information which might help you configure your firewall properly.

Running the 3CX Firewall Checker

To run the 3CX Firewall Checker:

  1. Log in to the 3CX Management Console using your credentials.
  2. Click on the “Troubleshooting” node to expand it and then click on the “Firewall Checker” node.
  3. Click the “Run Firewall Checker” button.

firewall checker all green
Once the Firewall Checker starts, networking tests will be performed and depending on the configuration of your firewall or border device, the results will be provided together with information on what you can do to fix/troubleshoot the problem.


  • Important: Starting the Firewall Checker will stop all 3CX Services. The PBX will not be available for the duration of the tests. The tests last 1 second for each port checked if the tests are successful or anywhere between 5 and 10 seconds if the port fails the port check. By default, the firewall checker checks 256 ports. These include port 9000 and port range 9000 – 9255.  Note that you will need to make sure that you have also opened ports 9255-9500 for WebRTC functionality. If everything is configured correctly, the tests should take less than a minute. If there are issues with all the ports, the test can take between 4  and 9 minutes. You also have the option to cancel the test.
  • The Firewall Checker requests the STUN server configured in “Settings” > “Network” > “STUN server” tab, to make connections to it and on the ports being checked. Some firewalls might detect a port scan since the ports are checked sequentially. When this happens, the 3CX Firewall Checker will start reporting issues after the first few ports have been checked. If that happens you might want to disable the port scan check on your firewall while running the 3CX Firewall Checker.

 3CX Firewall Checker Tests

The firewall checker will check for connectivity by making various requests to the STUN servers. The firewall checker performs the following two tests:

Test 1 – Internet Reachability Test

This test checks that the 3CX PBX is able to communicate with the STUN server running on the internet from the port being checked. This test will also perform a DNS resolution check if the STUN server’s hostname is specified. This test checks basic connectivity to the internet and that the STUN server is reachable.

Check the following if you get a failure on test 1:

  • You might have a general problem connecting to the internet. To confirm that open a browser and check that you can connect to the internet by going to a website.
  • You might need to configure your firewall to allow connections from the machine running 3CX Phone System to the internet on the port being checked.  Check this blog post which documents the Ports used by 3CX Phone System.
  • Your firewall might need to be configured to allow both connections to the port being checked on both TCP and UDP. Once again, check this blog post which documents the Ports used by 3CX Phone System.
  • This test will fail if the STUN server is not available. Confirm that the STUN server settings  in “Settings” > “Network” > “Public IP” are correct or use a different STUN server to test.
  • Confirm the port being used by the STUN server. The STUN server might be running on a different port.
  • Apart from the WAN to LAN device (router or firewall), you should also check that the Windows Firewall installed on the local machine is allowing connections on the ports being checked. Anti-virus, and other anti-malware software are known to interfere with this process. You will need to disable or uninstall these to confirm. Note: Disabling these antimalware programs might not be sufficient to pass the tests.
  • Your ISP might be blocking traffic in the port being checked.

Test 2 – One on One Port Forwarding (a.k.a. Inbound Connection) Test

In this test, the firewall checker tries to determine if a server on the internet is able to connect and communicate with 3CX Phone System on the port being checked. This determines if one to one port forwarding (also known as Full Cone Nat) is configured as required by the 3CX PBX on the firewall settings.

For this test, the 3CX Firewall Checker will send a request to the STUN server from the port being checked, and requests the STUN server to make a connection to the PBX from a different IP address on the port being checked.

If test 1 succeeds, but test 2 fails, you should check the following:

Results / Error messages

This section provides a list of results / errors that can be returned by the Firewall Checker.

“Success – Port forwarding is correctly implemented for this port. VoIP can work. This configuration is supported.”

All the tests have completed successfully. Your WAN to LAN device (firewall / router) is allows connections to the internet on the specified port and performs one to one port forwarding correctly. This configuration is supported.

“STUN server has no second address.”

You will get this error message when you are using an incorrectly configured STUN server. The STUN Server must have 2 addresses. You will need to use a different STUN server for these tests.

  1. Log in to the 3CX Management Console.
  2. Click on “Settings” > “Network” > “Public IP”.
  3. Find the “STUN Server” tab and configure one of the following stun servers:,,,

“Failed – No response received or port mapping is closed. Port forwarding not configured correctly. “

Port Forwarding is not configured correctly for the port being checked. In this case VoIP Providers and Remote extensions WILL NOT WORK. Log in to your router / firewall and configure port forwarding by entering the ports required by 3CX and forwarding them to the IP Address of the 3CX Phone System machine.

“Failed – Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again.”

You will get this message if some ports pass the tests and others don’t. You will need to investigate which ports failed the test and check port forwarding for those ports. Also make sure that the firewall / router is not forwarding connections on the specific port to another IP Address. The ports should be forwarded to the IP Address of 3CX Phone System.

“Failed – Malformed response received – (aka Symmetric NAT). Port forwarding not correctly implemented.”

The response we got from the STUN server indicates that you do not have a one to one NAT (Full cone NAT). 3CX Phone system requires a 1 to 1 port forwarding inbound and outbound, for VoIP Providers, Bridges and external extensions to work.

“STUN server did not answer or port forwarding is not configured on your firewall.”

The STUN server used for this test did not answer. Possible reasons could be:

  1. STUN server is not reachable.
  2. STUN Server is down.
  3. Port forwarding is not configured correctly.

“STUN server address cannot be resolved.”

The DNS resolution used to resolve the STUN server’s IP address failed. This could be a DNS issue, or the STUN server has ceased operations altogether.

“Failed – Malformed or no response received from configured STUN servers. Check your internet connection, DNS settings, or change STUN servers from Settings > Network > STUN Server tab.”

If you get this message check that port forwarding is correctly implemented.  Your firewall might be blocking packets. Check this article on how to configure static port forwarding.

“Failed – Port is in use by another application on this computer.” OR “SIP port is in use by process {0}. The 3CX Firewall checker requires the SIP port to be free.”

The port needed for this test is currently in use by another application installed on the computer. To determine the process that is using on the specified port, run the following command in command prompt:

netstat -ano | findstr /I /C:"PID" /C:":9500"

Replace 9500 with the port number that you need to check. You will find the process id of the process that is listening on the specified port in the PID column. Use this number to identify the process by using the Task Manager or by running the following command in the command prompt:

tasklist /fi "pid eq 4"

Replace 4 with the PID identified previously.

“STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported”

The STUN servers configured in “Network” > “STUN server” tab cannot be reached. The most probable cause is usually an internet connectivity problem:

  1. Log into the 3CX Management Console.
  2. Click on “Settings” > “Network”.
  3. Go to the STUN Server tab and change the STUN servers to one the following which are hosted by 3CX:,,,

 3CX Firewall Checker Client ApplicationTests

If your issues still persist with your remote extensions after performing all the above steps you can try the 3CX Firewall Checker Client Application at the remote location where your phones are situated which should provide you with additional information and instructions on how to solve your issues.

Liked this article?

Get notified of new articles
or share
You might also be interested in: