• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Firewall check passes SIP ALG, fails 5060 and 9000 ports

Status
Not open for further replies.

Christian Montiel

Joined
Dec 13, 2018
Messages
4
Reaction score
0
Hello everyone.

I have these issues and I am unable to solve them so far I'm pretty new on this matter and surely is something simple.

I have configured my firewall (FortiGate) as suggested by the guidelines and all the test passes except for the 3CX SIP Server while testing the port 5060, the log comes like this:

testing 3CX SIP Server... failed (How to resolve?)
  • stopping service... done
  • detecting SIP ALG... not detected
  • testing port 5060... Mapping does not match 5060. Mapping is 36730. (How to resolve?)
  • starting service... done
Also, the media server fails only on the port 9000 but succeeds on the rest of the ports.
testing 3CX Media Server... failed (How to resolve?)
  • stopping service... done
  • testing ports [9000..9398]... failed (How to resolve?)
    • testing port 9000... Mapping does not match 9000. Mapping is 36734. (How to resolve?)
    • testing port 9002... done
    • testing port 9004... done
My setup is pretty simple.

analog lines->gateway->fortigate -> ISP modem (DMZ)
3cx linux server->fortigate -> ISP modem (DMZ)

all under the same local network provided by the FortiGate, everything works on the phones but I always get one-way audio and I am thinking that maybe the reason is the 3CX SIP server failing the test or the media server.

At first, I taught the ISP was blocking the port but I can confirm is not the ISP.

I hope you can help me.

Thnska in advance.
 
Hi Christian,

I guess you mean you have followed this guide:
https://www.3cx.com/docs/fortigate-firewall-configuration/

I am going to make an assumption that it maybe that you have the wrong type of NAT setup - you should ideally be using 1 to 1 NAT mappings (public to private IP) for your 3CX system - please advise.

It seems from the results that there is a mapping in place but the port is incorrect either set or dynamically changing.
 
Hi eddv123, thanks in advance for your help and time.

I guess you mean you have followed this guide:
https://www.3cx.com/docs/fortigate-firewall-configuration/


Indeed, I also followed the documentation describing which ports to open.

I am going to make an assumption that it may be that you have the wrong type of NAT setup - you should ideally be using 1 to 1 NAT mappings (public to private IP) for your 3CX system - please advise.

Well, basically, I have 2 policies.

(internet access, with no security profiles whatsoever and NAT)
3cx(LAN) -> Fortigate (WAN)

3CX' VIP ports suggested in the documentation as follows in a policy from WAN to LAN, no NAT.
0.0.0.0->3CX's local IP and UDP or TCP ports

I was thinking maybe something about the NAT is the problem but can't seem to find what.

Chris.
 
Either that or SIP ALG is enabled - I would re-confirm this also as some router types require a CLI command to turn this off.

SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable I have also heard reports of ports changing on the fly also.
 
Hello @Christian Montiel

The following guide should help you troubleshoot the issue using wireshark. Run a capture side by side with the firewall checker and check in wireshark what is being sent and received.
https://www.3cx.com/docs/firewall-checker/

Thanks for the reply, I tried other configuration, this time skipping the Fortigate and try the ISP modem directly using DMZ so there is no problem with the ports and I reach the same problem as with the Fortigate, I'll do the wireshark test and update this discussion.
 
Either that or SIP ALG is enabled - I would re-confirm this also as some router types require a CLI command to turn this off.

SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable I have also heard reports of ports changing on the fly also.

Hi, thanks for the reply and sorry for the late reply; I double check with the Fortinet support team and the SIP ALG is deactivated in the unit, I did the required CLI commands and still reach the same point.

The firewall test still fails but I can make calls inside and outside the network but the inside network setup only gives me one-way audio and the push notifications are not working (but this may another issue altogether).

I'll do the wireshark diagnose and update the discussion as adviced by another member.

Best Regards.
Chris.
 
but the inside network setup only gives me one-way audio

This is very strange, inside calls should not traverse the firewall (unless you are using a hosted system and remote STUN phones) so there is something very odd going on.

Unless of course you have incorrectly setup a system with 2 NIC's and/or VLAN's on the local network then there is a potential for this sort of issue:https://www.3cx.com/blog/docs/network-configurations-supported-3cx-phone-system/
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,621
Messages
748,857
Members
144,735
Latest member
Hammad.k
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.