This article describes how to fix the error ‘Mapping does not match 5060. Mapping is …’ on a 3CX phone server.
Scope
FortiGate.
Solution
When testing a phone system, a mapping issue on port 5060 may be encountered with the following message: ‘Mapping does not match 5060. Mapping is …’.
Running a debug flow will show that the reply traffic is not SNAT to the same port 5060, but is instead a random port number:
id=65308 trace_id=5 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=17, X.X.X.X:5060->X.X.X.X:5060) tun_id=0.0.0.0 from local. " id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-00000122, original direction" id=65308 trace_id=5 func=__ip_session_run_tuple line=3392 msg="SNAT X.X.X.X->X.X.X.X:65477"
This is because there is an IP pool configured with the overload option. Changing it to a one-to-one type will prevent traffic being SNAT to a different port:
config firewall ippool edit "One-to-One-ippool" set type one-to-one set startip X.X.X.X set endip X.X.X.Y next end
Running a debug flow again will show traffic is now SNAT with the same port number:
id=65308 trace_id=6 func=print_pkt_detail line=5799 msg="vd-root:0 received a packet(proto=17, X.X.X.X:5060->X.X.X.X:5060) tun_id=0.0.0.0 from local. " id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5887 msg="Find an existing session, id-00000122, original direction" id=65308 trace_id=6 func=__ip_session_run_tuple line=3392 msg="SNAT X.X.X.X->X.X.X.X:5060"