Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sip trunking not working through WatchGuard Firewalls

Status
Not open for further replies.

AndrewTech

Technical User
Oct 6, 2017
26
US
OK, here's a brain teaser.

Mitel 3300 on ver 8. 50 IP phones on 2 different subnets. System is hooked to a PRI circuit for trunking. Users have desk phones and some are multi device twinning to a cell phone. Router exists at both buildings. Both routers are WatchGuard. Main router is a Firebox M400. I don't know what type the 2nd building has. Under these circumstances, all services and calls work perfectly with 0 issues.

We switched to SIP trunking this morning and everything worked......for about 10 minutes. By the time we got on site, this was our list.

--Inbound and outbound calls with 2 way audio worked on subnet 1.
--Sip trunks would go out of service intermittently for no more than 4 minutes, then return to service automatically.
--Some calls in progress were reported to have dropped one side of the audio stream during the call.
--Twinned calls answered on a cell phone have no audio on subnet 1. one way audio on subnet 2.
--Subnet 2 can receive inbound external calls but cannot make outbound external calls.
--All internal calls work perfectly.

Once we switched from SIP back to PRI, all our problems disappeared.

Can anyone give me any idea of what to do to resolve this? I'm not familiar with Watch Guard firewalls. I know that ports were opened in the firewall for 5060 and the recommended RTP ports. Is there anything else we could possibly be missing?
 
More than likely SIP ALG is enabled, turn it off, then turn it off again, then based on my experience, turn it off again.

That may sound flippant, but firewalls do not seem to want to turn off SIP ALG.

After that, make sure your Phones have peer to peer routing to whatever is routing the SIP calls. The MBG for example.

Also you may need to open some UDP ports for the voice traffic.

**********************************************
What's most important is that you realise ... There is no spoon.
 
Break out the wireshark. If you're firewall is NATing, you need to make sure the SIP ALG is working properly and inserting the correct IP info where needed. Some ALGs will modify IP addresses when they aren't supposed to. I've found a cheap test is to order a small Mikrotik router and connect it in place of the firewall. (Bypass the firewall) Make sure it's SIP functionality is turned on.
See:
 
We always get a test number range for the NEw sip service

then it can be configured and tested prior to cutover


If I never did anything I'd never done before , I'd never do anything.....

 
kwbMitel - The customer is using the predefined SIP ALG which only has port 5060 TCP/UDP in it. We tried turning it off and creating a custom policy with the same settings and doing so made things worse. We also tried adding the recommended UDP RTP ports to the policy and it didn't help the situation.

danramirez - they have MBG that they use for teleworker. But they don't want to modify anything more than needed.

We did wireshark captures but they never showed the RTP being transferred. We know that the carrier is sending the packets but they never seem to get through the firewall. Is it possible to setup a wireshark capture on the Watch Guard firewall? It was recommended that we do so but when i asked about it, i was told that we couldn't.
 
I had a similar issue recently although my solution was much easier.

The router was a Cisco, not sure of the model number though. SIP ALG was on and had symptoms like yours.
Calls would establish but then get one-way speech after a while, also putting calls on hold and transferring didn't work properly.

We requested a new public IP from the provider so we could manage it. Put a standard router in and the problems was solved.
In my opinion it is usually best to leave the SIP packets alone.
 
AndrewTech,
Maybe this helps...
In cases you cannot or don't know how do a wireshark capture on a specific product:

Cspture before the device.

Create a (non routable) vlan on a switch next to the device.
Put 3 interfaces untagged in that vlan.
Connect the internet router, the WatchGuard and a laptop with wireshark.
Because sip is unencrypted, this should work.

(This is on the WAN side, you also could do this on the LAN side to see what's happening in between.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top