I have a problem with the 3cx system at my company. I switched from a Sophos SG to the XGS (UTM210 to XGS2100).
The telephony works partly wonderful, but partly not.
I first have a DNAT rule that says that all required ports for the 3cx are released on an additional IP address on the WAN interface. The access to the 3cx works fine from the outside.Otherwise the 3cx has an Any rule without filter in the direction of the WAN. I have attached screenshots.
Now it is unfortunately so that for inexplicable reasons between through calls become one-sided, or break off completely. The SIP trunk is not disconnected and no re-registration is performed. In the log I can not see what is blocked or dropped. I have also assigned the profile "VoIP Guarantee" to the 3cx, so that the system has guaranteed bandwidths and is not throttled. IPS and ATP (Advanced Protection) are also turned off or the 3cx phone system is excluded.
SIP ALG is also turned off and the UDP Time-Out Time is set to 150ms.
The system version I have is SFOS 19.0.0 GA-Build317.
have you tried to create a linked SNAT Rule for your outgoing Firewall rule?
yes, I have already done that too. As a result, the error message -> not reachable appeared in the firewall checker.
If I remove the SNAT rule or deactivate it, I get "full cone test failed" again, although the DNAT rule is created accordingly. Accordingly, the calls are unfortunately not stable.
Hi Philipp Junker
Packet capture and pcap will help you to investigate the issue between your IP Phone and Voice Server
Please share the pcap file from the Voice server and from your IP Phone
From Sophos Firewall please check the traffic flow with help of packet capture
Please go to MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on Configure and add host <destination IP> start the packet capture
Share the packet you have taken from GUI
From CLI check the tcpdump as well drop a packet
console>tcpdump 'host <destination IP>
console>drop-packet-capture 'host <destination IP>
Thanks and regards