Peer Sip Trunk with two UCM 6510 with Site to Site VPN in Sophos


i have Location-A with UCM 6510( and behind Sophos firewall( & Location-B with UCM6510( behind Sophos firewall( and configure IPSEC Site to Site vpn between them and first i am facing problem like i can able to ping and enable heartbeat detection enable but in dashboard sip singnal is red then i disable NAT in both firewall then heartbeat signal become green but not able to out going or incoming call i just many artical behind firewall some are suggested disable SIP ALG in sophos that i have done and in PBX SETTING----->SIP SETTING—>NAT i enable Use IP address in SDP but still i am not able to call outgoing and incoming in log file 404 coming .TCP (727 Bytes)


Can you catch packets in both UCM and compare ?
Your dump do not show anything. If packets are fine then configuration is wrong, but for this we need see full packet.


setting behind nat is ok as per mentioned on above or not


Depend if networks is reachable between. If yes not need NAT as it is only needed when you cannot reach 2 network directly.
Best is compare packets on both UCM, if sophos make mess you will see difference in packets.
Also you will see full communication or lack of it.


i have capture packets from both UCM from my sophos tcpdump
TCP (727 Bytes)
i have attached tcp dump file…


This is useless, i do not see content of packets.
Catch on UCM please. (you can also check ping or traceroute to 2 ucm)


If the two UCMs are connecting via the IPSec tunnel, then NAT in the firewalls is not an issue. The tunnel provides a direct access to the resources/devices sitting on each other’s LAN. NAT is not involved in this instance.

However, you still need to go to PBX settings, SIP settings and NAT and input your public IP or FQDN in the external host field to include checking the SDP box and you also need to input the local LAN for each site on both UCMs at the bottom of the same page. This tells each UCM that the other side should be treated as local and to use local IPs rather than public IPs when communicating with one another.

The SIP ALG should be disabled and port forwarding implemented for each site to support each UCM communicating with its external SIP provider.

#8 (7.1 MB)

I have disable SIP ALG and please find capture file of both UCM


There is no call, all i can see is option sent between UCM (and other normal calls).
Did you try call during capture ? (i do not see anything tried between UCM).


Which model of sophos firewall?


Also, you should be using the UCM in switch mode given that the UCM is also behind a NAT firewall. Only the LAN port is used.


Sophos XG300 series and i will capture packet again while try to call and let you know


when i try to call remote location extension log is SIP outgoing call through trunk failure! Provider name: BHIWANDI, From user: 341, To user: 3300, SIP response code: 404 Unallocated (unassigned) number i dont know where is my mistake


Location (9.7 MB)

from location A i m trying to call 3300 and 3301 may be you can find out something from capture file

#15 (627.9 KB)

this is out and inbond rule i have configured and anything else required to troubleshoot please let me know


location (1.0 MB)

this is location B capture file… in network setting both UCM are in dual mode


Did you check out the guide?

Change the outbound rule permission to internal from local.

The location B capture is not related to the calls made from location A, but rather seem to be new calls from B trying to reach A. As there were no screen shots of how the out- and inbound rules are set on each UCM for this call route, I can only assume that there were none as the calls never made it past the UCM. There should both in and out rules set on both UCM so that they can interact with one another.

As an aside. modify the codecs in all trunks and extensions to be only the ones you intend to use. You have them all still enabled which is really not needed. Most would use either PCMU or A (depends on your location, you being in the AP region would most likely use PCMA/g711a) and then perhaps G722 and g729.


Not a fix, but a story…

We tried to use the XG series Sophos for a while and could not get it to handle the packets correctly.
We were trying to VPN two sites together and have one UCM that handles all the phones.
We even got Sophos tech support involved and eventually abandoned them as they couldn’t make it work right either.

The other Sophos models work fine, just the XG series we had issues with.



and did you try to disable IPS by this command
set ips sip_preproc disable
Sophos XG Firewall: Audio and video calls are dropping or only work one way when H.323 helper module is loaded


I guess the question is whether or not you were able to get your setup working. The Sophos KB you posted address calls that are established and have issues with one way audio or video and possible dropped calls. You posts never indicated any ability to make or take calls - “but not able to out going or incoming call” and the error code was a 404 - not found.

Can you elaborate?