Firewall check v15 issue

Discussion in '3CX Phone System - General' started by damirmih, Nov 22, 2016.

Thread Status:
Not open for further replies.
  1. damirmih

    Joined:
    Nov 22, 2016
    Messages:
    11
    Likes Received:
    0
    Hello All,

    I did the search on the forums but could not find similar issue, therefore I am posting new topic.

    After upgrading the 3CX from v14 to v15 we are getting this error message when we perform 3CX firewall check:

    testing port 5060... failed
    testing port 5060... unmatched mapping (49152)

    Before the upgrade with v14 firewall check passed 100% ok. We upgraded the installation on the same server (vm 2012R2) and no changes were performed on our network. 5060 port is forwarded to internal IP of 3CX server and all phones (desk phones and 3CX app on mobile and computers are working OK).

    What could this error mean? All other firewall tests are passed.

    Thanks for your help!
     
  2. IT Hamster

    Joined:
    May 21, 2015
    Messages:
    43
    Likes Received:
    0
    Do you have both TCP and UDP protocols enabled on your Firewall for those ports?

    I noticed that I had to have both opened in order for it to pass the test.
     
  3. damirmih

    Joined:
    Nov 22, 2016
    Messages:
    11
    Likes Received:
    0
    Hello,

    Thanks for your reply. I made sure both TCP and UDP are forwarded to 3CX IP address. Also no firewalls are in between that could be blocking the connection, however the issue is still reported in firewall checker. Please help.

    Thanks!
     
  4. damirmih

    Joined:
    Nov 22, 2016
    Messages:
    11
    Likes Received:
    0
    Hello,

    Does anyone else is having similar issue with 3CX v15?
     
  5. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    6,444
    Likes Received:
    463
  6. Philip Ellis

    Joined:
    Jan 15, 2017
    Messages:
    30
    Likes Received:
    0
    Hi

    I've got a new v15 setup on Debian and have similar problems to you.
    Did you ever find a solution?

    I've double-checked my firewall and it's set to allow all of these through:

    5001 TCP
    5060 TCP & UDP
    5090 TCP & UDP
    9000 to 9500 UDP

    My firewall check says:

    • resolving 'stun.3cx.com'... done
    • resolving 'stun2.3cx.com'... done
    • resolving 'stun3.3cx.com'... done
    • testing 3CX SIP Server... failed (How to resolve?)
      • stopping service... done
      • testing port 5060... failed
        • testing port 5060... unmatched mapping (55899)
      • starting service... done
    • testing 3CX Tunneling Proxy... failed (How to resolve?)
      • stopping service... done
      • testing port 5090... failed
        • testing port 5090... unmatched mapping (55901)
      • starting service... done
    • testing 3CX Media Server... failed (How to resolve?)
      • stopping service... done
      • testing ports [9000..9255]... failed
        • testing port 9000... unmatched mapping (55905)
        • testing port 9001... unmatched mapping (55906)
        • testing port 9002... unmatched mapping (55907)
        • testing port 9003... unmatched mapping (55908)
        • testing port 9004... unmatched mapping (55909)
        • testing port 9005... unmatched mapping (55910)
        • testing port 9006... unmatched mapping (55911)
        • testing port 9007... unmatched mapping (55912)
        • testing port 9008... unmatched mapping (55913)
        • testing port 9009... unmatched mapping (55914)
        • testing port 9010... unmatched mapping (55915)
        • ... and so on
        • testing port 9245... unmatched mapping (56155)
        • testing port 9246... unmatched mapping (56157)
        • testing port 9247... unmatched mapping (56141)
        • testing port 9248... unmatched mapping (56158)
        • testing port 9249... unmatched mapping (56153)
        • testing port 9250... unmatched mapping (56159)
        • testing port 9251... unmatched mapping (56166)
        • testing port 9252... unmatched mapping (56165)
        • testing port 9253... unmatched mapping (56163)
        • testing port 9254... unmatched mapping (56164)
        • testing port 9255... unmatched mapping (56167)
      • starting service... done
     
  7. dab

    dab

    Joined:
    Nov 1, 2009
    Messages:
    67
    Likes Received:
    1
    Do you have static public IP or does your provider some sort of CGN (Carrier grade NAT)?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Cjay

    Cjay New Member

    Joined:
    Feb 24, 2007
    Messages:
    190
    Likes Received:
    1
    Do you have these ports forwarded in your router to point towards your Debian VM?
     
  9. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    What make/model router are you using? There may be a setting that requires a change. Does it re-map ports?
     
  10. Philip Ellis

    Joined:
    Jan 15, 2017
    Messages:
    30
    Likes Received:
    0
    Yes, I do have a static IP
     
  11. Philip Ellis

    Joined:
    Jan 15, 2017
    Messages:
    30
    Likes Received:
    0
    Yes, I checked and double-checked them. It almost seems to me as though 3CX expects the same port outwards as is being checked.
    Saying "unmatched mapping" kind of says that to me. Could be wrong, though.
     
  12. Philip Ellis

    Joined:
    Jan 15, 2017
    Messages:
    30
    Likes Received:
    0
    I've actually got two routers before my main network (don't ask!) so there are two lots of firewall rules that I have to handle.
    I've checked them multiple times and all are present. I've also got other services that go through both routers without problems.

    FYI, one is a TP-LINK TL-WR841N and the other is a Technicolor TG589vn v3.
    I don't know about the re-mapping. Do you think that's potentially a factor here?
     
    #12 Philip Ellis, Jan 20, 2017
    Last edited: Jan 21, 2017
  13. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    So you are passing through both routers, double NATing? Have you tried simplifying things on a single (simple) router, as a test?
     
    #13 leejor, Jan 21, 2017
    Last edited: Jan 21, 2017
  14. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    803
    Likes Received:
    45
    Hi,


    As far as I know and from experience double NATing will not and will never going to work if it is used for VoIP... because the double address translation.

    As leejor replied “use a single (simple) router” to solve the issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Philip Ellis

    Joined:
    Jan 15, 2017
    Messages:
    30
    Likes Received:
    0
    I'll look at giving that a go and see what happens - could be interesting unraveling that part of my network :)
     
  16. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,416
    Likes Received:
    277
    i am having similar issue with a Mikrotik router. sometimes I get a "full cone test fail" and sometimes "not reachable". on the next test, different ports will experience these issues.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. dab

    dab

    Joined:
    Nov 1, 2009
    Messages:
    67
    Likes Received:
    1
    I can't confirm this for Mikrotik router. My Setup is working as expected including firewalltests.
    It's all about configuration! Sometime it's hard to find a small error in a large network with complex routing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    It may not work even if single router is too simple!

    Some very cheap firewalls do not allow this configuration, but most firewalls do.
    What can I do to resolve this problem and create Static port mappings?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,416
    Likes Received:
    277
    Thanks for the response. Its a 1009 so it should handle just fine... I have a filter list for all of China - because we were getting hit 24/7 on our VPN. I turned that filter off with the same result just in case it was overloading things.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    My opinion is Version 15 SP4 firewall checker reports false errors, I have many PBXs in production running behind a MikroTik Cloud-Core Router,in the same time Version 14 PBXs firewall checker passes OK behind the same router.

    All Version 15 PBXs work normally with external extensions (with or without 3CX tunnel, PBX as a STUN server), external providers, etc. regardless of firewall checker status. This includes both Debian (upgraded beyond SP4, i.e. 15.0.60903) and Windows installations (SP4).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    craigreilly likes this.
Thread Status:
Not open for further replies.