3CX server behind XG incoming call issues

Hello, 

 

I am having issues with incoming calls on 3CX behind a Sophos XG firewall. Sometimes incoming calls will connect after 10+ seconds and sometimes they won't at all. This previously ran behind a Pfsense firewall without issue, so I know it is related to the XG. When I run the firewall check on 3CX I get “full cone test failed” on the SIP port, tunnel port and media (9000+) ports. Outbound calls work fine. Tech support from Sophos tried several steps to diagnose and fix the issue without luck.

 

On the Sophos XG I have:

 

  • Disabled the SIP module
  • Modified the UDP timeout value to 150
  • Have forwarding rules for SIP, Tunnel, Management and Media ports.
  • Outbound rule for the 3CX server with Rewrite source address enabled. Use outbound address is SourceNAT which is the same IP address as the incoming rules.

 

Any ideas what could be causing the issue?

  • Hi toxrae,


    Apologies for the inconvenience caused. Could you please PM me the support case number? I will followup on that case and update you with my findings. 

    I would also like to know if you have DoS Protection configured under PROTECT > Intrusion Prevention > DoS & Spoof Protection? 

    Thanks,

     

  • In reply to H_Patel:

    PM sent.

    I have the 3CX server passing their Firewall Check by removing GEOIP filtering. I assume they try to test the 3CX server from a country I had blocked. The incoming call issue is still there though. I have tried another SIP provider and have that issue with them as well. 

    I'm not sure about that specific setting so I have attached screenshots from DoS & spoof protection. 

     

  • In reply to toxrae:

    Hi toxrae,

    Thanks for providing the case number, I will look into it and followup. Also thank you for the screenshot, you do not have DoS protection configured so it is not the issue in your case. 

    Thanks,

  • I created another outbound rule with masquerading and set the position to top. This seems to have mostly fixed the issue. I'll keep testing over the weekend. 

    Whats strange is that the old outbound rule was also at the top before, and comparing the rules they look exactly the same to me, so I'm not sure why this new rule seems to be helping. 

  • In reply to toxrae:

    This worked until at least midnight. It is back to not working today. But now none of the port forwards are working, not just the one for incoming calls, and creating new rules is not helping. Nobody is in the office today and nothing changed from last night. I tried to reboot and that didn't help. 

    Others that use XG and 3CX have shown me their rules and the ones I have are the same. I'm starting to think there is an issue with the XG itself.

  • In reply to LuCar Toni:

    Thanks. I have followed that and it is at 150.