I'm having some issues with SIP on Yealink phones in a setup that involves a Fortigate SD WAN across multiple sites. The traffic flow looks something like this: Phone Server to Ubiquiti Switch to Central Office Fortigate, then to a Router, and finally through a Remote ISP Fortigate before reaching the End User Yealink Phones. I've set up rules on both firewalls to allow traffic on port 5070, but something is changing that port to 5060. While 5060 seems to be working, the Yealink phones expect packets on 5070, which I've confirmed by using Wireshark. I've turned off SIP ALG on both the router and the Fortigate at the central office, but the ISP has a reputation for being unreliable and possibly lying about their changes. There's also a history of Grandstream phones having similar issues at the same remote site. Currently, I'm considering switching the phones to use 5060 instead of 5070, but I'm curious if anyone here has faced similar SIP issues or if I might be overlooking something obvious. My test environment is working fine, and the setup operates well with a couple of VOIP support partners. I also have to manage NAT with VIPs set up on the Fortigate for the remote site's public IP. The PBX system is Openscape hosted internally with external trunks. The primary issue I'm experiencing is one-way audio; Yealinks can call other phones (like Unify), but incoming calls from other devices can't reach them properly.
3 Answers
I've been through something similar with SIP setups. What worked best for me was taking packet captures at each gateway. You need to check if the packets coming in still show up on 5070. Most of the time, I found that manipulations happened before they even got to my part of the network. If that’s the case, you'd have solid evidence to challenge the ISP.
It sounds like you might have some issues with your intra-site traffic. I'd suggest setting up a VPN between the two Fortigates to eliminate any unpredictable ISP behavior. Also, double-check if the section labeled 'Remote ISP Fortigate' should actually just be 'Router'—could be a typo, which might complicate things some more.
First off, definitely make sure you’ve disabled SIP ALG—it's notorious for messing with SIP packets. If you haven't already, check Fortigate's documentation on disallowing VoIP Inspection as well; it can play a big role in these issues you’re seeing. That link I shared might be useful!
Totally agree, SIP ALG has caused me so many headaches in the past. Disabling it on the Fortigate is almost always a must.
If you’re considering a change, SIP over TLS could really secure your traffic. That way, any third-party hacks or changes to packets would be harder for the ISP to pull off.