[VoiceOps] Odd network problem with SIP

Brooks Bridges brooks at firestormnetworks.net
Sat Jun 21 17:09:58 EDT 2014

Make sure you're fully disabling the ALG on those Fortigates.  I got bit 
by that one time when I discovered (after many emails with support) that 
there are 2 places you have to shut off the SIP ALG before it's actually 
disabled, and the documentation only mentioned one of them.

Brooks Bridges
Firestorm Networks
Email: brooks at firestormnetworks.net
Voice: +1.8006975891
Fax: +1.8889721835

On 6/21/2014 10:37 AM, Jay Ashworth wrote:
> I have a client using the Spitfire dialler on Win7 to dial via SIP to a
> carrier called VoxTelecom; I infer they're a virtual carrier because the
> SIP goes to their Sonus SBC at a single IP, but the media sessions go all
> over creation.
> The client has been having completion trouble, and the dialler folks said
> "crappy circuit; too much jitter and packet loss", tested from the dialler
> using PingPlotter.  I don't think it was jitter, I think it was ping response
> deviation; PingPlotter doesn't appear to actually test jitter.
> But to tick the boxes, I had road runner out; they replaced a ubee D2 modem
> with their New Hawtness Arris D3 modem; no change.  All his analog measurements
> were pristine, he told me.
> So next step, check the router.  Log in to the Fortigate 40D; control panel
> won't paint properly.  This *may* have been an IE10 compatibility mode
> red-herring, but I temporarily swapped it for a 20C, which I could talk to.
> Set up the inbound DNATs for udp/5060 SIP and upd/49152-49252 RTP.
> Ran some calls.
> They're not seeing my ACK after they send me an SDP.  They get the invite, but
> not the ACK.  I send RTP, but they don't bother cause they think the call's
> not set up yet.
> Wireshark on the dialler... that ACK packet *has a bad IP header checksum*.
> Not the earlier packets; just the ACK.  Huh?
> So, assume it's the OS, somehow; reboot.  65 Windows updates and an hour later...
> Set everything back up, and run more test calls.  This time, the Invite has a bad
> IP header checksum.  Look at clock, 6pm EDT.  Give up, go home.
> I'm going to go back to the original router Monday morning, and check the
> compatibility mode theory, but has anyone ever seen "just certain sent packets
> show up with a bad IP header checksum, as monitored on-machine"?
> (I know that the original 40D router might well *have* a problem, and that the
> checksum thing is orthogonal to the original problem -- since older pcaps show
> clean setups -- but at least I can confirm I have the NATs configured right.)
> Cheers,
> -- jra

More information about the VoiceOps mailing list