Troubleshooting VoIP

This topic provides guidance for diagnosing and resolving issues that you may encounter when Voice over IP (VoIP) is enabled through Forefront TMG. Issues usually occur during the initial VoIP deployment. After the deployment is successful and a single phone is able to initiate and receive calls, it is rare that issues that are related to Forefront TMG will occur when adding more phones of the same make.

The following sections provide:

• Preparing to troubleshoot VoIP

• Flowchart for troubleshooting VoIP

• Procedures for troubleshooting VoIP

Preparing to troubleshoot VoIP

There are several tools that are available to assist you with the VoIP troubleshooting process:

• The Forefront TMG log viewer—Enables you to monitor and analyze traffic for the SIP phone. No ports are defined in the RTP protocol definition because the ports numbers in each call are different. The RTP log entry is therefore crucial in understanding the IPs and ports of the media in a particular call.

• The SIP Access Filter—Exposes the following performance counters that you can add to the Forefront TMG Performance Monitor:

  • Active SIP Sessions–Number of active calls.

  • Active SIP Registrations— Number of active registrations.

    For more information, see Microsoft Firewall service performance counters and Monitoring performance counters.

  The SIP Access Filter raises the following alerts:

  • SIP Call Quota Exceeded—SIP calls quota exceeded, new calls will be dropped.

  • SIP Filter Initialization Failed—The SIP application filter failed to initialize.

  • SIP Registration Quota Exceeded—SIP registration quota exceeded; new registration requests will be dropped.

    For more information, see Alert definitions and Configuring alerts.

• Network Monitor—Enables you to run a display filter for the SIP phone. Each SIP packet is captured twice. The first occurrence is the original SIP packet that is sent by the SIP device, and the second occurrence is the SIP packet after it was handled by the SIP Access Filter. The content (or the absence) of the second entry helps you to understand how the SIP Access Filter handled the original SIP packet.

• The Microsoft Firewall Service—Writes an entry every 60 seconds in the SIPDlg.txt calls file that is located in the %TMG Installation directory%\SipData folder. This entry lists the calls that are currently active, and appears as follows:

  7cc7-17434265-0001-Call30;10.0.2.1

  The entries are structured as follows: <CallID>;<IP the call originated from>

  In a hosted PBX, when the registration feature is activated, an entry is written every 60 seconds to the SIPReg.txt persistency file located in the %TMG Installation directory%\SipData folder. This entry lists the phones currently registered, and appears as follows:

  sip:10001@50.0.0.2;10001;10.0.2.1;5061;245;0;5060;50.0.0.4;140;10.0.2.1;10.0.2.1;5061

To prepare to troubleshoot VoIP:

1. Configure a log filter for the SIP phone, as follows:

   1. In the Forefront TMG Management console, in the tree, click Logs and Reports.

   2. In the details pane, click the Logging tab.

   3. On the Tasks tab, click Edit Filter.

   4. From Filter by, select Client IP.

   5. From Condition, select Equals.

   6. In Value, type the IP address of the SIP client.

   7. Click Start Query.

2. Add the SIP performance counters, as follows:

   1. Click Start, click Microsoft Forefront TMG, and then click Forefront TMG Performance Monitor.

   2. Click Add.

   3. Expand Forefront TMG Firewall Service, select Active SIP registrations and Active SIP sessions, and then click Add.

3. Run Network Monitor with an IP filter for the SIP phone (ipv4.address set to the IP address of the SIP phone).

Flowchart for troubleshooting VoIP

This flowchart guides you through the steps that are required for troubleshooting VoIP.

Procedures for troubleshooting VoIP

The following procedures describe the steps you might need to take when you use the flowchart to troubleshoot VoIP:

• How to troubleshoot phone registration

• How to troubleshoot outgoing calls

• How to troubleshoot incoming calls

• How to troubleshoot outgoing calls on different networks

• How to troubleshoot incoming calls on different networks

• How to troubleshoot outgoing calls on the same network

How to troubleshoot phone registration

You can detect when a phone fails to register with the IP Private Branch Exchange (PBX), as follows:

• On a softphone, a message is displayed.

• On a hardware phone, a hardware indication, for example a blinking light, might be visible.

• On the Forefront TMG Management computer, the Microsoft Firewall service does not increase the performance counter Active SIP registrations by one.

To troubleshoot phone registration

1. Check the Forefront TMG logs to determine whether the phone generated any traffic. If not, check the phone’s settings.

2. Verify that the client DNS query requests are not blocked; if they are blocked, create the required access rules.

   Note

   Some phones need to use HTTP or TFTP requests in order to obtain their DNS configuration.

3. Check the Forefront TMG logs to determine whether the SIP traffic over port 5060 was dropped. If this is the case, check for missing network rules. Also, check that the phone location matches the SIP rule that was created in the SIP Configuration Wizard. For information, see Configuring access for VoIP.

4. If the phone is trying to connect to the ITSP using a port other than 5060, create a new rule and reconfigure the SIP filter to use the new port. The SIP filter will then be monitored on the correct port.

   Warning

   SIP messages must be sent and received on the same port.

5. If this is not the only active SIP phone, check that the registration quota was not exceeded. The SIP registration quota exceeded alert indicates that the SIP registration quota was exceeded, and that new registration requests are dropped. If the quota was exceeded, modify the SIP quota. For information, refer to Configuring advanced VoIP settings.

6. If you are using a hosted PBX system, you can deploy VoIP without the SIP Access Filter (essentially converting Forefront TMG to a simple NAT device). Create a new access rule that allows all traffic from the phone’s IP to the external PBX and disable the SIP Access Filter, as follows:

   1. In the Forefront TMG Management console, in the tree, click Firewall Policy.

   2. On the Tasks tab, click Create Access Rule.

   3. Follow the instructions in the wizard that opens to create a rule that allows all traffic from the phone’s IP to the external PBX.

   4. In the details pane, click the Apply button to save and update the configuration.

   5. In the Forefront TMG Management console, in the tree, click System.

   6. In the details pane, click the Application Filters tab.

   7. Select the SIP Access Filter tab, click Disable Selected Filter and then click Apply.

   8. If the phone can now register, the problem is with the SIP Access Filter. Use the Forefront TMG Best Practices Analyzer Tool to capture the scenario and then contact CSS.

7. Validate that the SIP registration was successful by checking the SIPReg.txt persistency file that is located in the %TMG Installation directory%\SipData folder. When the registration feature is activated, an entry is written to this file every 60 seconds. The entry lists the currently registered phones, and appears as follows:

   sip:10001@50.0.0.2;10001;10.0.2.1;5061;245;0;5060;50.0.0.4;140;10.0.2.1;10.0.2.1;5061

How to troubleshoot outgoing calls

After the phone is registered, try to initiate an outgoing call. In order to streamline the troubleshooting process, call a regular PSTN phone.

To troubleshoot outgoing calls:

1. Monitor the call start and termination using the Active SIP Session performance counter.

2. If the PSTN phone does not ring:

   1. Check the Forefront TMG logs for the traffic that originated from the SIP client.

   2. If there is no SIP client traffic, check the phone settings.

   3. If the SIP connection is successfully created, convert Forefront TMG to a simple NAP device. For information, see How to troubleshoot phone registration.

3. If the PSTN phone rings, but there is no voice, check that the correct RTP rules exist between the phone and the external ITSP. For information, see Configuring access for VoIP.

4. If the call stops unexpectedly after 30 seconds, use the Forefront TMG Best Practices Analyzer Tool to capture the scenario and then contact CSS.

How to troubleshoot incoming calls

After you can make an outgoing call, try and call the SIP phone. In order to streamline the troubleshooting process, call from a regular PSTN phone.

To troubleshoot incoming calls:

1. Enable internal SIP clients to register externally:

   1. In the Forefront TMG Management console, in the tree, click Firewall Policy.

   2. On the Tasks tab, click Configure VoIP Settings.

   3. Select the Enable internal SIP clients to register externally to enable clients on the internal network to receive incoming calls from the IP PBX.

   4. On the External registration IP address dialog box, check that the IP address is 0.0.0.0 if you selected DNS or External network for the location of the external PBX, or the IP address of the external PBX if specified.

2. If the phone does not ring:

   1. Check the Forefront TMG logs for traffic originating from outside. If there is no traffic, the problem is usually an ITSP problem.

   2. If traffic is originating from the outside, use the Forefront TMG Best Practices Analyzer Tool to capture the scenario and then contact CSS.

3. If the phone does ring but there is no voice, check that the correct RTP rules exist between the phone and the external ITSP. For information, see Configuring access for VoIP.

4. If the call stops unexpectedly after 30 seconds, use the Forefront TMG Best Practices Analyzer Tool to capture the scenario and then contact CSS.

How to troubleshoot outgoing calls on different networks

Try to initiate an outgoing call. In order to streamline the troubleshooting process, call a regular PSTN phone. The diagnostic process is similar to that described in How to troubleshoot outgoing calls, except that the registration feature is disabled.

How to troubleshoot incoming calls on different networks

Try to initiate an incoming call to the SIP phone. In order to streamline the troubleshooting process, call from a regular PSTN phone. The diagnostic process is similar to that described in How to troubleshoot incoming calls, except that the registration feature is disabled.

How to troubleshoot outgoing calls on the same network

If the phones and internal PBX are in the same network and the call is not successful, the problem is a VoIP system problem.

Related Topics

Concepts

Forefront TMG Troubleshooting