3CX and Watchguard X550E

Discussion in '3CX Phone System - General' started by Don_Zalmrol, Jun 16, 2015.

Thread Status:
Not open for further replies.
  1. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Hi all,

    I've recently purchased an old Watchguard X550E from eBay (in mint condition). Everything is set up and the firmware has been updated to the latest for this series (V11.3.8) I've followed the guide located on the 3CX FAQ and widened the RTP scope for my provider WeePee (BE).

    http://www.3cx.com/blog/voip-howto/watchguard-xtm-firewall/

    But now for some reason I only have one way audio...
    Outgoing is working, the caller can hear us. But not the otherway around.

    SO it seems that the incoming rule is not complete or rejecting certain ports...

    RTP is not working.

    Could somebody help me please?

    Thank you in advance!



    LOG FILE (excerpt, test from my mobile):
    ---------------------------------------------------------------------------------

    Code:
    16-jun-2015 18:50:11.159	[MS105000] C:47.1: No RTP packets were received:remoteAddr=X.X.X.X:25544,extAddr=0.0.0.0:0,localAddr=X.X.X.X:9120
    
    16-jun-2015 18:50:10.225	Leg L:47.2[VMail] is terminated: Cause: BYE from PBX
    
    16-jun-2015 18:50:10.225	[CM503008]: Call(C:47): Call is terminated
    
    16-jun-2015 18:50:10.222	Leg L:47.1[Line:XXXXX<<047321XXXX] is terminated: Cause: BYE from X.X.X.X:5060
    
    16-jun-2015 18:49:56.179	Currently active calls - 1: [47]
    
    16-jun-2015 18:49:54.581	[CM503007]: Call(C:47): VMail:XXXhas joined, contact <sip:XXX@127.0.0.1:40600>
    
    16-jun-2015 18:49:54.580	[CM503007]: Call(C:47): Line:XXXXX<<047321XXXX has joined, contact <sip:XXXXX@ssw5.brussels.weepee.org:5060>
    
    16-jun-2015 18:49:54.578	L:47.2[VMail] has joined to L:47.1[Line:XXXXXX<<047321XXXX]
    
    16-jun-2015 18:49:54.428	[CM503025]: Call(C:47): Calling T:VMail:XXX@[Dev:sip:XXX@127.0.0.1:40600;rinstance=cc4b583f0d1848c7] for L:47.1[Line:XXXXX<<047321XXXX ]
    
    16-jun-2015 18:49:54.380	[CM503027]: Call(C:47): From: Line:XXXXX<<0473210087 ("Zaak In:LAURENS GSM" <sip:047321XXXX @X.X.X.X:5060>)  to  T:VMail:XXX@[Dev:sip:XXX@127.0.0.1:40600;rinstance=cc4b583f0d1848c7]
    
    16-jun-2015 18:49:54.380	[CM503004]: Call(C:47): Route 1: from L:47.1[Line:XXXXX<<047321XXXX ] to T:VMail:XXX@[Dev:sip:XXX@127.0.0.1:40600;rinstance=cc4b583f0d1848c7]
    
    16-jun-2015 18:49:54.380	[CM505003]: Provider:[WeePee] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [weepee] PBX contact: [sip:XXXXXXXXXXXX@X.X.X.X:5060]
    
    16-jun-2015 18:49:54.380	[CM503001]: Call(C:47): Incoming call from Line:10000<<047321XXXX to <sip:XXX@X.X.X.X:5060>
    
    16-jun-2015 18:49:54.379	Line limit check: Current # of calls for line Lc:10000(@WeePee[<sip:XXXXXXXXXXX@ssw5.brussels.weepee.org:5060>]) is 1; limit is 8
    
    16-jun-2015 18:49:54.376	[CM503012]: Inbound out-of-office hours rule (Zaak In) for XXXXX forwards to VM:XXX
    
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      29.5 KB
      Views:
      1,139
    • 2.PNG
      2.PNG
      File size:
      32.7 KB
      Views:
      1,139
    • 3.PNG
      3.PNG
      File size:
      28.9 KB
      Views:
      1,139
  2. jasit

    jasit New Member

    Joined:
    Feb 12, 2013
    Messages:
    171
    Likes Received:
    1
    check to see if your router support sip-alg it needs to be disabled.
     
  3. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Hi,

    I'm trying to find how to turn it off. But I don't actually use a SIP (SIP-ALG) policy in my firewall.
    But yes, I do see hits from the "proxy" in the watchgaurd system manager.

    http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/sip/sip_proxy_about_c.html

     
  4. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,079
    Likes Received:
    202
    I do not recall seeing this in the instructions, and others report not needing it. However, I have found 3cx in general works best without Outbound 1-1 NAT.
    Ensure traffic coming from internal 3cx ip is routed to the same external ip that inbound 3cx traffic is going to.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Hi Craig,

    How can I do this then?

    Like you can see in the pictures from the first post I have a rule that works like this:

    From: Any external
    To: External interface -> Internal IP address of the 3CX server

    So it's an SNAT rule that is in place.



    I only have 1 static public IP.



    I was also thinking about creating two rule to separate the SIP traffic from the RTP traffic.
    Since the SIP works, but then the incoming RTP is dropped (the logs actually don't show this, only the "sip-proxy" statement shows that it has been established and allowed. So it's probably safe to assume that it is inside this proxy that it drops the RTP...

    e.g.:

    And then

     
  6. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    763
    Likes Received:
    39
    Maybe an open door, but have you run successfully the Firewall Checker?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Yes, I did that, all in the green.

    The issue is I believe with the sip-proxy.
     
  8. jasit

    jasit New Member

    Joined:
    Feb 12, 2013
    Messages:
    171
    Likes Received:
    1
    http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/sip/sip_proxy_general_c.html


    check this document out see if it helps
     
  9. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Hi Jasit,

    Thank you, but I've already posted that link in my third comment :)

    It doesn't speak about disabling the proxy itself, just that you can change it to your liking.
     
  10. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,079
    Likes Received:
    202
    If you have only 1 IP then that is not the culprit. All outbound traffic would be using the single IP by default.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Don_Zalmrol

    Joined:
    Apr 25, 2012
    Messages:
    45
    Likes Received:
    0
    Okay after digging around, I've found a solution to my problem.

    It was indeed a proxy issue like I've thought.
    You don't need to disable SIP-ALG (SIP proxy) at all!

    You only need to create a second rule.

    Below is an example for people who are having the exact same issue (now or in the future):

    And that's it!

    I now have a working PBX again with added security from the firewall and use of a SIP-Proxy.

    PS: Don't forget to change your SIP-Proxy settings for the allowed channels you have. Mine seems to be limited to 4 calls max. But in my case this isn't an issue. If you do need to use more continues calls at the same time (e.g. call centers) you can just create and use packat filter instead of a SIP proxy...
     
Thread Status:
Not open for further replies.