Troubleshooting Remote Extensions and VoIP Providers Using the 3CX Firewall Checker By AndreaPsyllos on September 03, 2012

Introduction to the 3CX Firewall Checker

The 3CX Firewall Checker is a tool which can be used to check that your router or firewall allows network traffic with VoIP Providers, Bridges, External Extensions and 3CXTunnel connections. A supported 3CX Phone System configuration requires that all the necessary ports are forwarded one-on-one into the LAN towards the 3CX Phone system machine. Anything less than that and it is considered as an unsupported configuration. We will use a simple example to demonstrate the use of the 3CXFirwall checker further on.. For this example to work we will make some assumptions: 1. 2. The 3CX Phone System machine has an IP address of 192.168.0.100 and that the test is for port 5060. The Public IP address for your WAN port on your WAN-to-LAN device is 11.22.33.44 (External IP address).

Port Forwarding information

Basically, for a port to be correctly forwarded to the 3CX Phone System machine, any UDP packet that originates from the PBX machine and therefore has, in its Ethernet headers, the source IP::Port reading 192.168.0.100::5060, must reach its final destination (typically a VoIP Provider service, or a remote extension, or a bridged PBX) with the Ethernet source IP::Port headers reading 11.22.33.44::5060. So in essence, even though the IP Address needs to be translated (so that the traffic can be routed across the Internet Cloud), the port must NOT be translated. Furthermore, any UDP packet that originates from the WAN with Ethernet headers destination IP::Port reading 11.22.33.44::5060, must reach the 3CX Phone System machine with the Ethernet destination IP::Port headers reading 192.168.0.100::5060. The 3CX Firewall Checker can be used to determine if port mappings are configured correctly and will also provide additional information which might help you configure your firewall properly.

Running the 3CX Firewall Checker

To run the 3CX Firewall Checker: 1. 2. Log in to the 3CX Management Console using your credentials. click on the Settings node to expand it and then click on the Firewall Checker node.

3.

Click the Run Firewall Checker button .

Once the Firewall Checker starts, networking tests will be performed and depending on the configuration of your firewall or border device, the results will be provided together with information on what you can do to fix/troubleshoot the problem.

Notes Important: Starting the Firewall Checker will stop the 3CX Services. The PBX will not be available for the duration of the tests. The tests last 1 second for each port checked if the tests are successful or anywhere between 5 and 10 seconds if the port fails the port check. By default, the firewall checker checks 52 ports. These include port 5060, 5090 and port range 9000 9049. If everything is configured correctly, the tests should be take less than a minute. If there are issues with all the ports, the test can

take between 4 and 9 minutes. You also have the option to cancel the tests. The Firewall Checker requests the STUN server configured in Settings > Network > STUN server tab, to make connections to it and on the ports being checked. Some firewalls might detect a port scan since the ports are checked sequentially. When this happens, the 3CX Firewall Checker will start reporting issues after the first few ports have been checked. If that happens you might want to disable the port scan check on your firewall while running the 3CX Firewall Checker.

3CX Firewall Checker Tests

The firewall checker will check for connectivity by making various requests to the STUN servers configured in Settings > Network > STUN server. The firewall checker performs the following 2 tests:

Test 1 Internet Reachability Test

This test checks that the 3CX PBX is able to communicate with the STUN server running on the internet from the port being checked. This test will also perform a DNS resolution check if the STUN servers hostname is specified. This test checks basic connectivity to the internet and that the STUN server is reachable. Check the following if you get a failure on test 1:

You might have a general problem connecting to the internet. To confirm that open a browser and check that you can connect to the internet by going to a website. You might need to configure your firewall to allow connections from the machine running 3CX Phone System to the internet on the port being checked. Check this blog post which documents the Ports

used by 3CX Phone System.

Your firewall might need to be configured to allow both connections to the port being checked on both TCP and UDP. Once again, check this blog post which documents the Ports used by 3CX Phone System. This test will fail if the STUN server is not available. Confirm that the STUN server settings in Settings > Network > STUN server are correct or use a different STUN server to test. Confirm the port being used by the STUN server. The STUN server might be running on a different port Apart from the WAN to LAN device (router or firewall), you should also check that the Windows Firewall installed on the local machine is allowing connections on the ports being checked. Anti-virus, and other anti-malware software are known to interfere with this process. You will need to disable or uninstall these to confirm. Note: Disabling these antimalware programs might not be sufficient to pass the tests. Your ISP might be blocking traffic in the port being checked. Check this blog post which documents

the Ports used by 3CX Phone System .

Test 2 One on One Port Forwarding (a.k.a. Inbound Connection) Test

In this test, the firewall checker tries to determine if a server on the internet is able to connect and communicate with 3CX Phone System on the port being checked. This determines if one to one port forwarding (also known as Full Cone Nat) is configured as required by the 3CX PBX on the firewall settings. For this test, the 3CX Firewall Checker will send a request to the STUN server from the port being checked, and requests the STUN server to make a connection to the PBX from a different IP address on the port being checked. If Test 1 succeeds, but test 2 fails, you should check the following:

Your WAN to LAN device (firewall or router) has static, one to one port forwarding configured for the ports being checked. Some ports need static port mapping configured for both TCP and UDP. Once again, check this blog

post which documents the Ports used by 3CX Phone System .

Results / Error messages

This section provides a list of results / errors that can be returned by the Firewall Checker. Success Port forwarding is correctly implemented for this port. VoIP can work. This configuration is supported. All the tests have completed successfully. Your WAN to LAN device (firewall / router) is allows connections to the internet on the specified port and performs one to one port forwarding correctly. This configuration is supported.

STUN server has no second address. You will get this error message when you are using an incorrectly configured STUN server. The STUN Server must have 2 addresses. You will need to use a different STUN server for these tests. 1. 2. 3. Log in to the 3CX Management Console. Click on Settings > Network Find the STUN Server tab and configure one of the following stun servers stun.3cx.com,

stun2.3cx.com, stun3.3cx.com, stun4.3cx.com Failed No response received or port mapping is closed. Port forwarding not configured correctly. Port Forwarding is not configured correctly for the port being checked. In this case VoIP Providers and Remote extensions WILL NOT WORK. Log in to your router / firewall and configure port forwarding by entering the ports required by 3CX and forwarding them to the IP Address of the 3CX Phone System machine. Failed Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again. You will get this message if some ports pass the tests and others dont. You will need to investigate which ports failed the test and check port forwarding for those ports. Also make sure that the firewall/router is not forwarding connections on the specific port to another IP Address. The ports should be forwarded to the IP Address of 3CX Phone System. Failed Malformed response received (aka Symmetric NAT). Port forwarding not correctly implemented. The response we got from the STUN server indicates that you do not have a one to one NAT(Full cone NAT). 3CX Phone system requires a 1 to 1 port forwarding inbound and outbound, for VoIP Providers, Bridges and external extensions to work. STUN server did not answer or port forwarding is not configured on your firewall. The STUN server used for this test did not answer. Possible reasons could be: 1. STUN server is not reachable

2. STUN Server is down 3. Port forwarding is not configured correctly. STUN server address cannot be resolved. The DNS resolution used to resolve the STUN servers IP address failed. This could be a DNS issue, or the STUN server has ceased operations altogether. Failed Malformed or no response received from configured STUN servers. Check your internet connection, DNS settings, or change STUN servers from Settings > Network > STUN Server tab. If you get this message check that port forwarding is correctly implemented. Your firewall might be blocking packets. Check this article on how to configure static port forwarding. Failed Port is in use by another application on this computer. OR SIP port is in use by process {0}. The 3CX Firewall checker requires the SIP port to be free. The port needed for this test is currently in use by another application installed on the computer. To determine the process that is using on the specified port, run the following command in command prompt: ?

netstat -ano | findstr /I /C:"PID" /C:":5060"

Replace 5060 with the port number that you need to check. You will find the process id of the process that is listening on the specified port in the PID column. Use this number to identify the process by using the Task Manager or by running the following command in the command prompt: ?

tasklist /fi "pid eq 4"

Replace 4 with the PID identified previously. STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported The STUN servers configured in the Network > STUN server tab cannot be reached. The most probable cause is usually an internet connectivity problem. Try to use one the following STUN servers hosted by 3CX: 1. 2. 3. Log into the 3CX Management Console Click on Settings , select Network Go to the STUN Server tab and change the STUN servers to one the following which are hosted by 3CX: stun.3cx.com, stun2.3cx.com, stun3.3cx.com, stun4.3cx.com