FAQ/Troubleshooting for VoIP

FAQ/Troubleshooting for VoIP connections involving a Securepoint UTM

Last adaption: 09.2025

New:

The article has been fundamentally revised and split into two articles: Example Scenarios and FAQ/Troubleshooting (this article)

notempty

This article refers to a Beta version

12.6 07.2022 11.8

General

Packet filter rule

Is a packet filter rule necessary?

Answer

Yes, because when there is a UTM between VoIP end devices and a VoIP server, it is necessary to create an additional packet filter rule that enables VoIP with NAT.
The connection is established via SIP, the device logs on to the VoIP server with its local IP. The voice packets themselves are then sent via rtp on other ports.
In order to make the VoIP client and the rtp ports in the local network available from outside - in this case accessible for the VoIP server - it is necessary to create a packet filter rule for this.

Under Firewall Packet filter button Add Rule the following rule is added
General
Source:	voip-clients	An appropriate group should be defined. For example: Phones and workstations or VoIP-devices Internal Network allows all network devices VoIP! For reasons of network security, devices that do not require VoIP (e.g. printers or IoT devices) should not be allowed VoIP either.	Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter Adding packet filter rule
Destination:	voip-server	VoIP connections with the corresponding open ports should only be available to the VOIP server.
Service:	voip	VoIP service group: Enables the following ports: SIP: UDP Port 5060 protocol type sip The protocol type sip loads the Application Layer Gateway modules (ALG) rtp: UDP Port 7070-7089
Action:	Stateless
[ - ] NAT
Type:	HIDENAT
Network object:	external-interface

VoIP without SIP Helper

Can VoIP be configured without SIP Helper?

Answer

Yes, the predefined service sip (contained in the packet filter group voip) has the protocol type sip, which loads the Application Layer Gateway (ALG) modules. If VoIP is to be performed without the sip helper and thus without ALG, a new service must be created that uses port 5060 UDP without the protocol type sip.

First, the new service is created under Firewall Packet Filter button Add Rule.

Create service

Caption	Value	Description	Add service UTMuser@firewall.name.fqdnFirewallServices New service
Name:	udp 5060 without type	Prominent name
Protocol:	udp
Protocol type:		Leave blank!
Destination port type:	Single portPort range	Only one port is needed
Destination port:	5060	Destination port for sip via udp is 5060
Source port type:	AllSingle port Port range	The clients can establish the connection via various ports
Save and close		Create the service

Create service group

Subsequently, a new group should be created under Service groups with Add group:

Caption	Value	Description
Name:	voip without ALG	Prominent name
Services	udp 5060 without type Destination ports:5060 rtp Destination ports: 7070:7089	The newly created service for udp (port 5060) and the service rtp (ports 7070-7089) must be included

Packet filter rule

Finally, a packet filter rule is created as described above, but now containing the new service group as the service.	#	Source	Target	Service	NAT	Action	Active
	24	voip-clients	voip-server	voip without ALG	HN	Stateless	On

There is no longer a need to load or unload the sip-Helper modules via CLI

UDP-Session Timeout

Can the UDP session timeout be adjusted?

Answer

Yes, the UDP session timeout can be adjusted using CLI commands.

Solution

The following CLI commands are necessary to adjust the UDP session timeout: (In the example to 300 seconds)

system sysctl new name net.netfilter.nf_conntrack_udp_timeout value 300 system update system system config save

SIP via TCP

Can SIP be configured over TCP?

Answer

Yes, to do this, a new service must be created with the protocol TCP, the protocol type SIP and the destination ports as for UDP.

Create a new service under Firewall Services button Add Object

Troubleshootin

No sound transmission

Clients behind RW connections or S2S connections have no audio transmission?

Answer

This could be due to insufficient packet filter rules.

Solution

It should be verified that the packet filter rules covers the following:

The telephone system can send packets to the tunnel network/remote network without NAT
Clients can communicate with the telephone system without NAT
The telephone system is not forced to a gateway via rule routes
If source routes exist for the telephone system, they must also exist for the S2S SSL VPN tunnel/Wireguard
The predefined "sip" service is not used for port filter rules via the tunnels

If all of this is covered, everything should normally work for S2S connections.

Further troubleshooting should be done with tcpdump (as root user).

Road warriors often notice that the VoIP client isn't transmitting its own tunnel address as the destination for RTP packets, but rather that of its default gateway. In this case, the telephone system won't be able to send the RTP packets to the correct destination. The VoIP client is the problem here!

Connect externally

Why can't clients connect to the telephone system from outside using the telephone system manufacturer's VoIP, or why can't calls be established?

Answer

This could be due to no communication using RTP packets being established during the call, or because the RTP packets are flowing one-way. This indicates that the telephone system or VoIP client is not transmitting the correct IP addresses as the destination for the RTP packets. This can be determined using tcpdump.

Solution

Since there are many different telephone systems and Securepoint specializes in IT security, you will need to contact a technician who can correctly configure the system.