VoIP call connects over the Internet but no voice - Mitel 5000

[a0157202]

We are changing from one WAN router to another, a Palo Alto PA-200.  I have configured all the port forwarding from the old router to the new PA-200, but when I try a VoIP call to a VoIP phone on the Internet the call connects but I get no voice in either direction.  Here are the port forwards:
UDP 6004-6261
UDP 50098-50508
UDP 20001
UDP 1118
TCP 3998-3999
UDP 5060
TCP 6800-6802
TCP 44000
TCP 4000

The above settings work without issue on the old router, but not on the PA-200.  My Mitel vendor tells me UDP 50098 - 50508 are used for the voice traffic.  I see with a sniffer trace UDP 50102 between the Mitel 5000 and the Internet based phone, but really no problems.  Any ideas on what further PA-200 router config changes might be needed to get this working?  Or any ideas on how to troubleshoot further?  I have been looking for a Mitel VoIP packet flow but haven't been able to find one.  I do see the call connecting on TCP 6800 and then another TCP 3999 and suspect these are just part of the call setup flow.

[Tech Electronics]

A0157202,

There are a couple of reasons why, but let's start with the obvious one. Do you have more than one static IP address assigned to the 5000 which would indicated that you may have a PEC or a PS-1 on your base system?

Also, I noticed that you had port 1118 in your list of ports for the phone, but that is not a normal port for the system that I have ever heard of.

Here is quote from a previous post on this topic that I have written that may explain what all the ports are for so you can understand this a little better.

Alright, so if all you have are SIP and Mitel 52xx/53xx style phones then all you would need open are the following ports.

UDP - Bidirectional
69 or 20001   TFTP
50098-50508   Phone Audio RTP
6004-6261   Base Processor Audio Receive RTP
6604-7039   Expansion Processor Audio Receive RTP
5567      Processor Call Control - General Purpose
5060      SIP

TCP - Bidirectional
6800-6802   MiNet
3998-3999   Switch Application Communication [SAC]
5566      Processor Call Control
5060      SIP

If you do not have an Expansion Card [PEC-1] on your Base Processor then you do not need the ports opened up for that. If you do have an Expansion Card, which would have to have its own Public IP address, then you would open those ports up for it. Keep in mind that you have to do this for both Public IP addresses.

If you need Database Programming and/or System Administration and Diagnostics [SA&D] to work as well then open the following ports.

TCP
44000      Secure Database Programming
443      Secure SA&D Web Interface <- I don't recommend opening this up for remote use
22      SSH  <- I do not recommend opening this up without shutting it off in the system

If you have a networked system going through your firewall then you  would need to open up the following ports as well.

UDP
6004      Base Processor Audio Receive RTP <- If you have remote phones this is already opened

TCP
5570      Processor Call Control Port

Hopefully that helps you label your ports for future reference.

Thanks,

TE

[a0157202]

TE,
Thanks for the reply.  I am not the Mitel 5000 vendor so I don't know about the cards installed in it, but there is only 1 private IP address assigned to the Mitel 5000, 192.168.242.30.  It is "inside" the firewall, PA-200.  Not sure about the ports, I just enabled them based on the Mitel phone vendor and it worked on the existing Watchguard Edge router/firewall.  I also got it working on a low end Cisco router/firewall.  I just can't get voice to work over the Internet using the Palo Alto 200.

[619Tech]

Were the off-prem endpoints working with two-way audio prior to the WAN router upgrade?

[Tech Electronics]

A0157202,

Unfortunately if the problem only exists on the Palo Alto 200 and the phones work fine off of your old router and a low end Cisco firewall then most likely the PA-200 is doing some deep packet inspection or it has triggered its heuristics for an attack and it's blocking or dropping the packets. Unfortunately I have never worked with the PA-200, but this did happen with Juniper Routers before and their tech support was unable to resolve why even after they saw it happening.

Sorry,

TE

[a0157202]

Since neither the Palo Alto reseller, Palo Alto support, and Mitel support aren't making any progress I am going to see if I can get a sniffer trace tonight on the old router so we can "see" how it works and then compare the flow against the PA sniffer traces and figure out what needs to be adjusted on the PA.

[a0157202]

Does anyone have a sniffer trace of a call between a VoIP on the Internet and a Mitel 5000 on an Intranet?  My customer doesn't have managed swtiches so I can't mirror/span a port to my laptop so I can get a sniffer trace.

[hriaz]

Might want to try disabling SIP ALG.

https://live.paloaltonetworks.com/docs/DOC-6214

[a0157202]

Thanks but we already tried that and still got not voice in either direction.  I was able to get a good sniffer trace over the weekend and am looking at the flow that works with our Watchguard router and comparing it to a failed flow while on the Palo Alto router.  Hopefully I can post what it ultimately took to fix this to help anyone else out.