Help - Sophos XG v17 3CX Outgoing call issues

Discussion in '3CX Phone System - General' started by techguard, Jan 9, 2018.

Thread Status:
Not open for further replies.
  1. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Hi there - I have setup a new Sophos XG105w at a client and I am having issues with calls dialing out over their 3CX system. The 3CX firewall checker passes.

    In some cases the call wont even try and dial out when dialed. 'Pls Hang Up' or 'Not found' are noted on the phone displays and no connection.

    Initially when we set it up - the SIP helper was disabled by us as we read that in the Sophos KB and here however we were getting no audio on the calls - so we enabled it again and the audio came back. Sophos support said the sip helper must not be enabled on the VOIP provider side and so we had to enabled it on the XG firewall.

    I have one rule setup with all the 3CX ports forwarded from anywhere (for the moment) on the WAN to the internal IP of the PBX that sits behind the firewall. I have another rule setup to allow the PBX to talk out on the WAN to anything over any port.

    Some calls ring through - others don't. Did a packet capture on the XG but can't see where its going drop. Did a drop-packet-capture command as well on the console with no results.

    If someone has a 3CX behind a Sophos XG can you please share the rules and relevant settings you have in place for it to work. At my wits end here trying to figure it out.
     
  2. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    Are you using a sip provider for service?
    What type of authentication with that provider are you using?
    Digest (username/password) or IP auth?
    Do you normally block from lan to wan or did you add the rule since you were having issues?

    What is your tcp/udp connection timeout set to? I have seen this value set to low and drop calls.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    @i3 thanks for the reply.
    1. Yes the VOIP 3CX system installers is using a sip provider for service. I'm just the firewall guy.
    2. I just checked their 3CX admin settings and Authentication is set to "Do not require - IP Based"
    3. I have set a lan to wan rule at the top of the firewall rule set to allow all traffic from pbx on the lan to anywhere on the wan over any port. Also my default lan to wan rule on the bottom also allows any lan device to talk over any sip related port, dns, http, https, ntp etc.
    4. I can't see on the sophos xg where I can configure that. I did find in the console of the firewall the

    UDP timeout stream is 60
    TCP Conn. Establishment Idle Timeout is 10800

    These are the default settings - not sure what they should be for the 3CX?
     
  4. Stevetritton

    Joined:
    Aug 3, 2017
    Messages:
    14
    Likes Received:
    1
    Hi
    We have 3CX behind a number of Sophos XG firewalls. We originally has issues but with updated firmware all OK for few months. The 3CX server is excluded from Advance Threat protection.

    If your SIP provider is using IP based make sure NAT for 3CX out is using the public IP that your SIP provider has configured.
     
  5. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0

    Hi Steve
    Thanks for the info. I don't have ATP enabled at the moment as we didn't want to turn on much security until this issue is sorted.

    May I ask you for more information on the NAT for 3CX out. I have outbound rule and inbound rule attached. Do I need to change the masquerade or setup up something else?. SIP provider is using IP based.

    Thanks
     

    Attached Files:

  6. Stevetritton

    Joined:
    Aug 3, 2017
    Messages:
    14
    Likes Received:
    1
    Hi,
    OK, your SIP provider will be using a public IP to validate the connection. The address they have configured has to be the same as your 3CX server is using for external connections. I would suggest using 'ipchicken.com to check this matches. I have attached the NAT rule I am using plus the 3CX settings to ensure public IP is used is SIP VIA header.

    Hope this helps
     

    Attached Files:

  7. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    The outbound rule shows it is using the "WAN Link load balancing". Does this client have multiple ISPs?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Stevetritton

    Joined:
    Aug 3, 2017
    Messages:
    14
    Likes Received:
    1
    Hi, yes they do have multiple ISP's. We have a primary and secondary address configured at the ISP for the SIP trunk using IP based authentication.
    Steve
     
  9. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    For testing purposes, could you disable the load balancing for just the 3cx server and test outbound calls? For example, ensure the 3cx server is only ever using the primary isp that is configured with the sip provider and see if you are able to hold an outbound conversation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Stevetritton

    Joined:
    Aug 3, 2017
    Messages:
    14
    Likes Received:
    1
    Hi,
    This is how it was configured initially and worked fine. I only added the uplink rules when we had an additional line installed.

    What in in the 3CX logs when you make an outgoing call?

    Steve
     
  11. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Hi Steve

    Thanks for this - the sip ip was already put in by the phone company in their 3CX settings. Do you happen to have a screenshot of the port forwarding WAN to LAN rule you have for your 3CX?

    Thanks
     
  12. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    @techguard
    Does the client have multiple isp's? Are they both connected to the Sophos? What version 3cx are you currently running? Standalone machine or virtual?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Hi i3 - thanks for the message.

    No they just have one ISP provider.
    3CX version 15.5.0.
    Standalone machine running on Linux Debian.
    Im not using STUN just static public IP.

    The calls that are giving trouble now are not connecting out - message comes up on the handset "Pls hang up" and the call log on the 3CX shows it as "not answered". So I'm not sure if its the sophos or 3CX or some incorrect settings. A lot of calls are working okay which leaves it hard to identify an intermittent issue.

    We have SIP ALG enabled - as disabling it causes audio issues. One thing I did notice is when we run the firewall checked with SIP ALG enabled port 9000 and 9001 come back as failed and the other 498 ports up to 9500 come back as success. When we disable SIP ALG everything is green in the firewall checker but audio issues occur on calls. Not sure why 9000 and 9001 come back red or if that could be impacting it. Those ports arent used in any other rules on the firewall.

    I setup a VOIP Guarantee policy on the VOIP rules I presume this is okay - as they had issues before I set that up?
     
  14. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Also should I get in touch with Virgin Media ISP - their modem is in bridge mode but could it have an impact on the SIP traffic or have SIP ALG impacting the calls?
     
  15. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    @techguard
    Who is the SIP provider and do you know if they are sending the RTP stream to your 3cx?

    Can you run a packet capture from the Dashboard > Activity Log > Capture
    then try to re-produce the outbound failed call, once you have an example, stop the capture and download the file. Open it up using Wireshark, and choose the Telephony > Voip Calls > select the failed call and click on Flow Sequence

    Do you see the sip (5060) going to the destination sip server of the provider?

    I would think that there could be something with SIP ALG causing issues, I know you checked the udp connection timeout, can you ensure that in the SIP ALG config screen there is no special timeout configuration there? I would almost want to disable SIP ALG and try to resolve the audio issues you're having as long as disabling SIP ALG doesn't break anything else. You mention with SIP ALG disabled everything checks out except you have audio issues, that may be resolved by ensuring your rtp ports are allowed in from where you expect them to come from (i.e. any or sip provider only) and ensure that all of them are forwarded properly to the 3cx machine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    @i3 - thanks for this - its late here so I will have to come back tomorrow on this. I did check the activity log - didn't know it existed so thank you very much. I will do packet capture tomorrow. I did notice however two errors that seem to be related to the issues we are having.

    One is "Exceeded outbound of the service agreement". After some Googling I found some SIP standards that said "if the maximum number of simultaneous sessions is exceeded, a 503 response shall be sent with the reason phrase "Exceeded outbound of the service agreement"". So potentially one of these issues might be down to not enough simultaneous calls or something holding the session for longer making the system think there is more calls than there is. Ill discuss with SIP provider tomorrow.

    The other message says 01/10/2018 4:22:55 PM - [Flow] Target endpoint for 7041802 can not be built! So need to figure out if that is firewall related or if its something with the PBX. Maybe a capture will help clear up tomorrow. According to Google though initially it appears like it could be down to the rules on the PBX itself which the phone provider setup.
    We're in Ireland (Dublin) and the phone provider setup the calls out so that Dublin landline dial code 01 doesn't have to be dialed and if it is dialed the number doesnt work. But for some reason on some calls like the one above - it doesn't dial out while other similar Dublin numbers without the 01 work fine. Need to research this more. But the issue does appear to happen on landline number only from what I can tell so maybe it is PBX related. Will keep you posted.
     

    Attached Files:

  17. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Ok just looking at the outbound call routes quickly there and I can't see one listed for 7 - could that possibly be the reason for the 7041802 number not working?
     
  18. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    That is possible, it all depends on what the phone provider is expecting as far as how many digits it is looking for. I am in the US and not familiar with Ireland phone numbers and digits. Can you send a screenshot of a few of the outbound rules in the edit window? That would show all the details of the rule. Also, check under Sip Trunks how many simultaneous connections (Sim Calls) the trunk is set to?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. techguard

    Joined:
    Jan 9, 2018
    Messages:
    14
    Likes Received:
    0
    Number of Sip trunks appears to be set to 4. (This is a small company of 7 staff approx.)
    Irish landline numbers have area codes of between 2 and 4 digits. Dublin being 01. (Other areas e.g. 094, 0505, 021) Then 7 digits after typically. (1-9)
     

    Attached Files:

  20. i3

    i3

    Joined:
    Jun 6, 2012
    Messages:
    31
    Likes Received:
    0
    Do you mean the number of Sim Calls is set to 4? That would mean that if you have 4 people making outbound calls and a 5th attempts to make a call it will fail because the trunk is limited to only 4.

    Based on the number of outbound rules, it seems that the installer wanted to allow the users to only have to dial the 7 digits and avoid dialing the area code, does that seem correct or do the users always dial the area code+number. I would need a few more outbound rule screenshots to confirm. You could always create a catch all rule and place it at the bottom of the outbound rules list that goes something like the attached. With that rule you would be able to dial the full area code + 7 digit number and it will always find the proper route out.
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.