XG firewall won't allow outgoing VoIP RTP Traffic

Hello KMD_Comp,

Thank you for reaching out to the community, For poor quality/no voice issue you may refer the following article - https://support.sophos.com/support/s/article/KB-000037055?language=en_US

Although you already have turn the Session Initiation Protocol (SIP) module off, but you may toggle on/off again and refer the article below - https://support.sophos.com/support/s/article/KB-000035917?language=en_US

Hello,

your DNAT is working, what about MASQ for the outgoing packets for the network-segment?

Personally, I need to have the SIP module ON for our VoIP to work. What version of SFOS are you using? I'm not a VLAN expert, but I hear you saying "phone VLAN" and "untagged port", which seems contradictory, but maybe I'm just not familiar enough with the lingo.

Have you checked all logs (Firewall Rules, App Filter, etc, etc) to make sure there's no documentation of the traffic being dropped? And have you tried drop-packet-capture in the Console (option 4, under the Advanced Shell it has a different name).

Also, what is the VLAN number for Port1.86? Hopefully not VLAN 1.

I'm running version 19.0.0.

VLANs can get confusing, but my terminology is probably off because I've been dealing with Aruba/HP switches vs. Cisco for the last few years.  In this case, an untagged port just means that the switchport is stripping off the VLAN tag before sending out the frame and any return traffic has the tag added back on.  That being said, now you have me wondering if the return traffic is missing because the phone system is sending out tagged traffic after all.  Something to check...        

Everything I can see in the firewall logs through the GUI shows me the same thing I see from TCPdump.  I can see the RTP traffic coming in from our ISP and getting forwarded to the phone system's IP, but nothing about the RTP traffic from the phone system is showing up on the Sophos.  I can see the SIP traffic in both directions though, and that uses nearly identical DNAT and firewall rules as I'm using for the voice communication.  The only differences are the ports in use and the IP's involved.     

I didn't think of the App Filter, I'll take a look at that when I next get a chance.    

Hi KMD_Comp

Please post service host that you have created working for voice server under System-->Hosts and Services -->Services and applied on DNAT firewall rule and on NAT rule as we have to make sure all the ports related to the voice server are forwarded on firewall rule as well as on NAT rule.

Thanks and Regards

Will do.  FYI, I probably won't be able to get back to this until tomorrow morning, EST.

Hi  KMD_Comp 

Also, post your DNAT Firewall rule and NAT rule for the forwarded voice server make sure you hide your Public facing IP on post

Please check the traffic flow on Packet capture under MONITOR & ANALYZE | Diagnostics | Packet capture and using GUI and CLI to capture the traffic and check traffic flow between your voice server and IP Phone and also to make sure traffic is passing from same DNAT firewall rule and NAT rules same ports on which communication should be.

tcpdump 'host <IP address of your IP Phone>

https://support.sophos.com/support/s/article/KB-000036858?language=en_US 

support.sophos.com/.../KB-000037007

Please share settings you have applied on IP Phone 

Thanks and Regards

Thanks for everyone's input, but I have to put this on hold to deal with something else.  Depending on site policy, I'll ether revisit this or start a new topic when I can get back to it.