• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

3CX and Watchguard X550E

Status
Not open for further replies.

Don_Zalmrol

Customer
Joined
Apr 25, 2012
Messages
49
Reaction score
0
Hi all,

I've recently purchased an old Watchguard X550E from eBay (in mint condition). Everything is set up and the firmware has been updated to the latest for this series (V11.3.8) I've followed the guide located on the 3CX FAQ and widened the RTP scope for my provider WeePee (BE).

http://www.3cx.com/blog/voip-howto/watchguard-xtm-firewall/

But now for some reason I only have one way audio...
Outgoing is working, the caller can hear us. But not the otherway around.

SO it seems that the incoming rule is not complete or rejecting certain ports...

RTP is not working.

Could somebody help me please?

Thank you in advance!



LOG FILE (excerpt, test from my mobile):
---------------------------------------------------------------------------------

Code:
16-jun-2015 18:50:11.159	[MS105000] C:47.1: No RTP packets were received:remoteAddr=X.X.X.X:25544,extAddr=0.0.0.0:0,localAddr=X.X.X.X:9120

16-jun-2015 18:50:10.225	Leg L:47.2[VMail] is terminated: Cause: BYE from PBX

16-jun-2015 18:50:10.225	[CM503008]: Call(C:47): Call is terminated

16-jun-2015 18:50:10.222	Leg L:47.1[Line:XXXXX<<047321XXXX] is terminated: Cause: BYE from X.X.X.X:5060

16-jun-2015 18:49:56.179	Currently active calls - 1: [47]

16-jun-2015 18:49:54.581	[CM503007]: Call(C:47): VMail:XXXhas joined, contact <sip:[email protected]:40600>

16-jun-2015 18:49:54.580	[CM503007]: Call(C:47): Line:XXXXX<<047321XXXX has joined, contact <sip:[email protected]:5060>

16-jun-2015 18:49:54.578	L:47.2[VMail] has joined to L:47.1[Line:XXXXXX<<047321XXXX]

16-jun-2015 18:49:54.428	[CM503025]: Call(C:47): Calling T:VMail:XXX@[Dev:sip:[email protected]:40600;rinstance=cc4b583f0d1848c7] for L:47.1[Line:XXXXX<<047321XXXX ]

16-jun-2015 18:49:54.380	[CM503027]: Call(C:47): From: Line:XXXXX<<0473210087 ("Zaak In:LAURENS GSM" <sip:047321XXXX @X.X.X.X:5060>)  to  T:VMail:XXX@[Dev:sip:[email protected]:40600;rinstance=cc4b583f0d1848c7]

16-jun-2015 18:49:54.380	[CM503004]: Call(C:47): Route 1: from L:47.1[Line:XXXXX<<047321XXXX ] to T:VMail:XXX@[Dev:sip:[email protected]:40600;rinstance=cc4b583f0d1848c7]

16-jun-2015 18:49:54.380	[CM505003]: Provider:[WeePee] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [weepee] PBX contact: [sip:[email protected]:5060]

16-jun-2015 18:49:54.380	[CM503001]: Call(C:47): Incoming call from Line:10000<<047321XXXX to <sip:[email protected]:5060>

16-jun-2015 18:49:54.379	Line limit check: Current # of calls for line Lc:10000(@WeePee[<sip:[email protected]:5060>]) is 1; limit is 8

16-jun-2015 18:49:54.376	[CM503012]: Inbound out-of-office hours rule (Zaak In) for XXXXX forwards to VM:XXX
 

Attachments

  • 1.PNG
    1.PNG
    29.5 KB · Views: 1,143
  • 2.PNG
    2.PNG
    32.7 KB · Views: 1,143
  • 3.PNG
    3.PNG
    28.9 KB · Views: 1,143
check to see if your router support sip-alg it needs to be disabled.
 
Hi,

I'm trying to find how to turn it off. But I don't actually use a SIP (SIP-ALG) policy in my firewall.
But yes, I do see hits from the "proxy" in the watchgaurd system manager.

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/sip/sip_proxy_about_c.html

2015-06-16 22:35:35 sip-proxy 14:12093: new RTP connection [w2c14r14h0] 10.0.10.3:9032 -> 91.208.12.135:23400 [A] | 81.83.22.28:23400 -> 91.208.12.135:23400 Debug
 
I do not recall seeing this in the instructions, and others report not needing it. However, I have found 3cx in general works best without Outbound 1-1 NAT.
Ensure traffic coming from internal 3cx ip is routed to the same external ip that inbound 3cx traffic is going to.
 
Hi Craig,

How can I do this then?

Like you can see in the pictures from the first post I have a rule that works like this:

From: Any external
To: External interface -> Internal IP address of the 3CX server

So it's an SNAT rule that is in place.



I only have 1 static public IP.



I was also thinking about creating two rule to separate the SIP traffic from the RTP traffic.
Since the SIP works, but then the incoming RTP is dropped (the logs actually don't show this, only the "sip-proxy" statement shows that it has been established and allowed. So it's probably safe to assume that it is inside this proxy that it drops the RTP...

e.g.:

Rule 1:

Ports:
TCP-UDP 5060-5061

From: Any external
To: External interface -> Internal IP address of the 3CX server

And then

Rule 2:

Ports:
3CX tunnel TCP-UDP 5090
3CX RTP UDP 9000-9199
ISP RTP UDP 10000-30000


From: Any external
To: External interface -> Internal IP address of the 3CX server
 
Maybe an open door, but have you run successfully the Firewall Checker?
 
Yes, I did that, all in the green.

The issue is I believe with the sip-proxy.
 
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/sip/sip_proxy_general_c.html


check this document out see if it helps
 
Hi Jasit,

Thank you, but I've already posted that link in my third comment :)

It doesn't speak about disabling the proxy itself, just that you can change it to your liking.
 
If you have only 1 IP then that is not the culprit. All outbound traffic would be using the single IP by default.
 
Okay after digging around, I've found a solution to my problem.

It was indeed a proxy issue like I've thought.
You don't need to disable SIP-ALG (SIP proxy) at all!

You only need to create a second rule.

Below is an example for people who are having the exact same issue (now or in the future):

Rule 1

Select SIP-PROXY

Ports:
- TCP 5060-5061
- UDP 5060-5061

From: any-external
To: any-external -> Internal PBX IP (SNAT)

Rule 2

Select packet filter

Ports:
- TCP 5090
- UDP 5090, 9000-9199 (3CX RTP), 10000-30000 (My SIP provider RTP)

From: any-external
To: any-external -> Internal PBX IP (SNAT)

Rule 3

This is basically your outgoing rule from your internal side to your external side, it's default configured by Watchguard. So you don't actually have to do something about this.

Yet some people tend to change this around for more security from the inside to the outside. In that case you have to add the 3CX rules we've created to this one or make a separate outgoing rule for your PBX.

And that's it!

I now have a working PBX again with added security from the firewall and use of a SIP-Proxy.

PS: Don't forget to change your SIP-Proxy settings for the allowed channels you have. Mine seems to be limited to 4 calls max. But in my case this isn't an issue. If you do need to use more continues calls at the same time (e.g. call centers) you can just create and use packat filter instead of a SIP proxy...
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,635
Messages
749,000
Members
144,754
Latest member
deanhbs
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.