Troubleshooting FortiGate VoIP Issues (One-Way Audio, No Ringing)

April 2, 2025 Abstract representation of network and VoIP concepts

Voice over IP (VoIP) systems, particularly those using the Session Initiation Protocol (SIP), can sometimes encounter issues when traversing firewalls like FortiGate. Common problems include one-way audio (where only one party can hear the other) or phones failing to ring for incoming calls. These issues often stem from the FortiGate's SIP Application Layer Gateway (ALG) or session helpers interfering with the SIP signaling or RTP (audio) streams, especially when Network Address Translation (NAT) is involved.

This article provides common FortiGate Command Line Interface (CLI) commands for diagnosing and potentially resolving these VoIP/SIP issues.

Initial Diagnostics

Before diving into SIP-specific settings, gather some basic information about your FortiGate's configuration and interfaces:

config system settings
show full-configuration
end

diagnose netlink interface list

diagnose ip address list

show full-configuration: Displays the entire device configuration. Useful for searching later.
diagnose netlink interface list: Lists network interfaces recognized by the kernel via Netlink.
diagnose ip address list: Shows all configured IP addresses on the device's interfaces. Helps confirm interface IPs.

SIP-Specific Diagnostics

To investigate SIP traffic and related configuration:

config system settings
show full-configuration | grep -f sip
end

This command filters the full configuration to show only lines containing "sip", helping you quickly view relevant settings like SIP ALG mode, ports, and NAT trace options.

diagnose sniffer packet any 'port 5060' 4

This command captures SIP signaling traffic (default UDP port 5060) on all interfaces. The verbosity level 4 provides detailed header information. Analyzing this output can reveal issues with SIP messages being modified incorrectly or not reaching their destination.

Common Solution: Disabling SIP ALG / Using Kernel Helper Mode

FortiGate's default SIP ALG mode (`proxy-based`) and associated settings can sometimes manipulate SIP headers in ways that break compatibility with certain VoIP systems or NAT scenarios. A common fix involves disabling some ALG features and switching to the kernel session helper.

This approach is often effective for resolving one-way audio or registration/ringing issues. Execute the following commands:

config system settings
    set sip-expectation disable
    set sip-nat-trace disable
    set default-voip-alg-mode kernel-helper-based
end

set sip-expectation disable: Disables the expectation mechanism, which can sometimes cause issues with NAT.
set sip-nat-trace disable: Disables adding NAT trace information into SIP headers, which might cause incompatibility.
set default-voip-alg-mode kernel-helper-based: Switches from the default proxy ALG to rely on the older, sometimes more compatible, kernel session helper for SIP.

After applying these settings, clear existing SIP sessions (`diagnose system session clear`) or wait for them to time out, then test your VoIP calls thoroughly.

Alternative: Removing the SIP Session Helper

In some cases, particularly if default-voip-alg-mode was already set to kernel-helper-based or if issues persist, the SIP session helper itself might be the problem. Completely removing the helper allows traffic to pass based solely on firewall policies, without specific SIP inspection/manipulation by the helper.

First, identify the SIP session helper ID (it's usually 13, but verify):

config system session-helper
show
end

Look for the entry with set name sip and note its ID number. Then, delete it (assuming it's 13):

config system session-helper
delete 13
end

Again, clear sessions and test thoroughly after making this change. You will need appropriate firewall policies allowing SIP (UDP/5060) and RTP (a range of UDP ports, typically high) traffic between your VoIP devices/server and the external provider/endpoints.

Important Considerations

Test Thoroughly: Always test call functionality (inbound, outbound, audio both ways, call transfers, etc.) after making any changes.
Maintenance Window: Apply these changes during a maintenance window if possible, as they can interrupt existing calls.
Understand Your Traffic: Ensure your firewall policies correctly allow the necessary SIP and RTP traffic flows.
Firmware Versions: Behavior can sometimes vary slightly between FortiOS versions. These commands are generally applicable to modern versions (6.x, 7.x).

"Troubleshooting VoIP often involves peeling back layers. Sometimes, letting the firewall handle traffic based purely on policy, without ALG interference, is the simplest solution."
- Inspired by common troubleshooting practices

References

These external resources may also provide helpful context:

Disabling SIP ALG on Fortigate 6.2.2 and above (Example YouTube Link)
One Way VOIP Audio Quick Fix (Example YouTube Link)
Always consult the official Fortinet Documentation for your specific FortiOS version.

(Note: Replace example YouTube links with actual relevant video URLs if available.)