ControlOne - VoIP Troubleshooting

Cloud-based VoIP systems can present issues when installed behind a firewall often traffic is blocked or rate limited. The purpose of this guide is to walk through basic steps to determine where the issue is coming from. 


Physical Connectivity

The first thing to check is the physical connectivity of the phone. Is the device powering on and getting an IP address? Often if a device is showing "NO LAN" or "Network Down" it can indicate that the device is connected to power but has no network connectivity. Once it has been confirmed that the device is attached to a configured network port and is powering on we can move to logical issues. 


Logical Connectivity

Once physical connectivity is confirmed we can move to logical connectivity. At this point, it is best practice to review the layout of the network and how the device fits into it. Does the network utilize VLANs to isolate Voice and Data traffic? Is the network a single subnet with all traffic mixed? If a phone has an incorrect VLAN tag it may show up in the wrong subnet or even not pull an IP at all. Reviewing the LAN configuration on the CBR and any configuration on a southbound switch may reveal a misconfiguration. 


ControlOne and SIP

ControlOne is SIP aware so it'll detect SIP as a service and by application and port, and will prioritize that based on the already applied QoS


Questions for your VoIP Provider

Many cloud-based VoIP providers will limit or block traffic from unknown sources. When moving to ControlOne your public IP will change to an IP provided by our Cloud Gateway. It is best to verify with your VoIP provider that the new public IP is allowed. 


Checking Logs

ControlOne has built-in reporting that allows you to review any traffic that has entered or left the network. You can access this by logging into the ControlOne portal, selecting the applicable company, and then selecting "Reporting" in the upper left-hand corner. 


The page will show up with a live traffic monitor that has no filter on it so all traffic will be shown. Just below the live drop-down will be the option to show filters. This will allow you to specify what traffic you are looking for. A good start is to look for traffic starting with the source IP as one of the local IPs assigned to a VoIP phone.




Another troubleshooting method is exclusion. You can select specific traffic to be excluded from a security policy. Note: this should be used with caution as the traffic will not have any of the protections provided by ControlOne. 

You will first need to create a custom security policy. The link below provides instructions for creating a custom security policy. 

Once the custom security policy is created you can add an exclusion to the policy for the destination IP address. 


Once the exclusion is created and the security policy assigned to the zone. Any traffic that matches the configured domain or IP address will bypass the security policy. In some cases, this can help as SIP traffic can be sensitive to Deep Packet Inspection or Intrusion Prevention. 


If the provided methods above do not resolve your VoIP-related issues please reach out to our support team by either submitting a ticket to or calling us at 877.411.2987 Opt1 Opt1. 




Was this article helpful?
1 out of 2 found this helpful