27.05.

2021 Techincal Tip: SIP useful Commands

Techincal Tip: SIP useful Commands Print Article

Products
FortiGate

Description

This article shows some useful commands for troubleshooting SIP traffic.

Solution

Several commands are used to troubleshoot this issue, depending on the mode used by firewall (sip session-helper or SIP-
ALG).

Generally, troubleshooting voip issues is done in few steps:

- Getting a simple network diagram with addresses clearly indicated for SIP server, Audio server, FortiGate
interfaces (NAT if used), client IP, etc.
- Checking what kind of SIP inspection is used/configured on the FortiGate / in the policies (backup of configuration,
specifying the VDOM/ policy ID#)
- Capturing and analyzing the traffic between host and SIP server over FortiGate (traffic capture for destination server IP,
or for port 5060)
- Isolating the issue to FortiGate by disabling SIP inspection (or specifying how FortiGate is expected to open the
audio ports for calls)
- Collecting the sip debug if the problem is not identified or not clearly fixable

SIP debug can be enabled and collected as follows.

This is useful when the action taken be the firewall is clearly understood and configured, but still considered wrong.
Simultaneously, a packet capture is necessary (on another SSH connection):

# diagnose debug disable

# diagnose debug reset
# diagnose debug application sip -1
# diagnose debug enable

Diagnosing calls

Use following commands to display status information about the SIP sessions being processed by the SIP ALG.
# diagnose sys sip-proxy calls list
# diagnose sys sip-proxy stats <----- This is the most useful as it shows what type of packets are
blocked.
# diagnose sys sip-proxy stats clear <----- To clear the old statistics and make recent tests more
obvious.
# diagnose sys sip status
# diagnose sys sip dialog list
# diagnose sys sip mapping list

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38920&sliceId=1&docTypeID=DT_KCARTICLE_1_1… 1/4
27.05.2021 Techincal Tip: SIP useful Commands

There are 4 columns:

Received: packets of certain type that FortiGate received. These are packets seen as passing over the FortiGate (no
action taken by FortiGate)
Blocked: packets that the FortiGate actively blocked. They can be either ‘request’ or ‘response’
Unknown form: The header may be familiar to FortiGate but the content may have certain extensions or field contents
that are not recognized, or completely strange in format. Unknown SIP requests are by default blocked (set block-
unknown enable). Malformed headers are by default set to pass in the SIP section of the default voip profile
Long headers: Certain packets contain a lot of non-standard extensions than enhance the SIP call. But this data needs
more space on a header’s line. Long lines/headers are by default blocked (set block-long-lines enable)

UNKNOWN: Generally these are keep-alive packets (no relevant data).

If blocked, calls may drop after a certain time when the session times out. Fix: set block-unknown disable in default voip
profile (or particular voip profile used in policy).
ACK: (not usually a problem. If needed, SIP profile can be set block-ack enable ).
BYE: (not usually a problem. If needed, SIP profile can be set block-bye enable ).
CANCEL: (not usually a problem. If needed, SIP profile can be set block-cancel enable ).
INFO: (not usually a problem. If needed, SIP profile can be set block-info enable ).
INVITE: Only a problem if blocked. Packet capture and sip debug can tell why a ‘legitimate’ INVITE is blocked. Usually it
is caused by mismatching fields.
MESSAGE: (not usually a problem. If needed, SIP profile can be set block-message enable ).
NOTIFY: (not usually a problem. If needed, SIP profile can be set block-notify enable ).
OPTIONS: (not usually a problem. If needed, SIP profile can be set block-options enable ).
PRACK: Provisional Response Ack - Adds RSeq and Rack headers (not blocked by default - set block-prack disable, rate
can be changed) .
REFER: (not usually a problem. If needed, SIP profile can be set block-refer enable ).
REGISTER - if blocked counter is increasing, they may be fraudulent external attempts trying register to use your SIP
server. However, if your phone can’t register, you should check the blocked column. When ‘received req’ increases, but
‘received resp’ is not increasing = the SIP server does not recognize or refuses to respond to these requests
(troubleshooting generally on SIP server).
SUBSCRIBE: (not usually a problem).
UPDATE: (not usually a problem. If needed, SIP profile can be set block-update enable ).
PING: (not usually a problem. Rarely used).

According to the output of '# diagnose sys sip-proxy stats', it is possible to make adjustments on the default voip
profile,
or create a new profile to be used in policies. Common changes are highlighted:

# config voip profile

(profile) # edit default
(default) # config sip
# set ?
status Enable/disable SIP.
rtp Enable/disable create pinholes for RTP traffic to
traverse firewall.
nat-port-range RTP NAT port range.
open-register-pinhole Enable/disable open pinhole for REGISTER Contact
port.
open-contact-pinhole Enable/disable open pinhole for non-REGISTER Contact
port.
open-via-pinhole Enable/disable open pinhole for Via port.
open-record-route-pinhole Enable/disable open pinhole for Record-Route port.

Usually, user wants to open these pinholes.

Keeping them closed may prevent SIP from functioning properly through the FortiGate.
It can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single
session).

strict-register Enable/disable only allow the registrar to connect.

register-rate REGISTER request rate limit (per second, per policy).
invite-rate INVITE request rate limit (per second, per policy).
max-dialogs Maximum number of concurrent calls/dialogs (per
policy).
max-line-length Maximum SIP header line length (78-4096).
block-long-lines Enable/disable block requests with headers exceeding
max-line-length.
block-unknown Block unrecognized SIP requests (enabled by default).
call-keepalive Continue tracking calls with no RTP for this many
minutes.
block-ack Enable/disable block ACK requests.
block-bye Enable/disable block BYE requests.
block-cancel Enable/disable block CANCEL requests.
block-info Enable/disable block INFO requests.
block-invite Enable/disable block INVITE requests.
block-message Enable/disable block MESSAGE requests.
block-notify Enable/disable block NOTIFY requests.
block-options Enable/disable block OPTIONS requests and no OPTIONS
as notifying message for redundancy either.
block-prack Enable/disable block prack requests.
block-publish Enable/disable block PUBLISH requests.
block-refer Enable/disable block REFER requests.
block-register Enable/disable block REGISTER requests.
block-subscribe Enable/disable block SUBSCRIBE requests.

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38920&sliceId=1&docTypeID=DT_KCARTICLE_1_1… 2/4
27.05.2021 Techincal Tip: SIP useful Commands
block-update Enable/disable block UPDATE requests.
register-contact-trace Enable/disable trace original IP/port within the
contact header of REGISTER requests.
rfc2543-branch Enable/disable support via branch compliant with RFC
2543.
log-violations Enable/disable logging of SIP violations.
log-call-summary Enable/disable logging of SIP call summary.
nat-trace Enable/disable preservation of original IP in SDP i
line.
subscribe-rate SUBSCRIBE request rate limit (per second, per
policy).
message-rate MESSAGE request rate limit (per second, per policy).
notify-rate NOTIFY request rate limit (per second, per policy).
refer-rate REFER request rate limit (per second, per policy).
update-rate UPDATE request rate limit (per second, per policy).
options-rate OPTIONS request rate limit (per second, per policy).
ack-rate ACK request rate limit (per second, per policy).
prack-rate PRACK request rate limit (per second, per policy).
info-rate INFO request rate limit (per second, per policy).
publish-rate PUBLISH request rate limit (per second, per policy).
bye-rate BYE request rate limit (per second, per policy).
cancel-rate CANCEL request rate limit (per second, per policy).
preserve-override Override i line to preserve original IPS (default:
append).
no-sdp-fixup Enable/disable no SDP fix-up.
contact-fixup Fixup contact anyway even if contact's IP:port
doesn't match session's IP:port.
max-idle-dialogs Maximum number established but idle dialogs to retain
(per policy).
block-geo-red-options Enable/disable block OPTIONS requests, but OPTIONS
requests still notify for redundancy.
hosted-nat-traversal Hosted NAT Traversal (HNT).
hnt-restrict-source-ip Enable/disable restrict RTP source IP to be the same
as SIP source IP when HNT is enabled.
max-body-length Maximum SIP message body length (0 meaning no limit).
unknown-header Action for unknown SIP header.
malformed-request-line Action for malformed request line.
malformed-header-via Action for malformed VIA header.
malformed-header-from Action for malformed From header.
malformed-header-to Action for malformed To header.
malformed-header-call-id Action for malformed Call-ID header.
malformed-header-cseq Action for malformed CSeq header.
malformed-header-rack Action for malformed RAck header.
malformed-header-rseq Action for malformed RSeq header.
malformed-header-contact Action for malformed Contact header.
malformed-header-record-route Action for malformed Record-Route header.
malformed-header-route Action for malformed Route header.
malformed-header-expires Action for malformed Expires header.
malformed-header-content-type Action for malformed Content-Type header.
malformed-header-content-length Action for malformed Content-Length header.
malformed-header-max-forwards Action for malformed Max-Forwards header.
malformed-header-allow Action for malformed Allow header.
malformed-header-p-asserted-identity Action for malformed P-Asserted-Identity header.
malformed-header-sdp-v Action for malformed SDP v line.
malformed-header-sdp-o Action for malformed SDP o line.
malformed-header-sdp-s Action for malformed SDP s line.
malformed-header-sdp-i Action for malformed SDP i line.
malformed-header-sdp-c Action for malformed SDP c line.
malformed-header-sdp-b Action for malformed SDP b line.
malformed-header-sdp-z Action for malformed SDP z line.
malformed-header-sdp-k Action for malformed SDP k line.
malformed-header-sdp-a Action for malformed SDP a line.
malformed-header-sdp-t Action for malformed SDP t line.
malformed-header-sdp-r Action for malformed SDP r line.
malformed-header-sdp-m Action for malformed SDP m line.
provisional-invite-expiry-time Expiry time for provisional INVITE (10 - 3600 sec).
ips-rtp Enable/disable allow IPS on RTP.
ssl-mode SSL/TLS mode for encryption & decryption of traffic.

Troubleshooting SIP-helper is not as easy, as we can only check whether the session expectation is created correctly.
Also, with SIP session-helper there are not many changes that can be operated for special topologies.
Since SIP session-helper is not commonly used, this guide will not focus on troubleshooting it.

# diagnose sys sip stat <----- Can be used to check if the sip-helper is used.

Related links.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/858887/voip-solutions
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/858887/voip-solutions
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/fortigate-sip-603.pdf
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=fortigate-voip-sip-521pdf

Related Articles
Technical Tip: Enabling the SIP Application Layer Gateway (ALG)
SIP and SCCP Traffic is Handled by the VoIP ALG/Proxy by default in FortiOS 5.2

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38920&sliceId=1&docTypeID=DT_KCARTICLE_1_1… 3/4
27.05.2021 Techincal Tip: SIP useful Commands
Technical Tip: Disabling VoIP Inspection
Technical Tip: How to use the SIP ALG to prevent unwanted calls
Technical Tip: How to confirm if FortiGate is using SIP Session Helper or SIP ALG
Technical Tip: VOIP calls (using SIP)

Last Modified Date: 05-20-2021 Document ID: FD38920

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38920&sliceId=1&docTypeID=DT_KCARTICLE_1_1… 4/4