Introduction

The 3CX Firewall Checker tool is used to check whether your router or firewall is allowing network traffic to or from VoIP providers, bridges, external extensions and 3CX tunnel connections.

3CX phone systems require all necessary ports to be forwarded one-on-one into the LAN toward the 3CX phone system, otherwise the configuration is considered unsupported.

You can find a link to download the 3CX Firewall Checker on our downloads page.

Having compatibility issues with old phones?
Check out the “PBX Delivers Audio” option.

Port Information

The following ports need to be open for the 3CX Firewall Checker client to work:

  • SIP Port UDP: 5091
  • RTP Ports UDP: Range: 11000 – 11015

Running the 3CX Firewall Checker

The following ports need to be open for the 3CX Firewall Checker client to work:

  • SIP Port UDP: 50913CX PBX Status
  • RTP Ports UDP: Range: 11000 – 11015
  1. Login to your 3CX Management Console
  2. Click on “Firewall Check” in the PBX Status section and click “Run”.
  3. Results will be displayed along with what you can do to troubleshoot the problem.

Note:

The Firewall Checker will stop all 3CX services and the PBX will not be available for the duration of the test. The test will generally take approximately 4 – 9 minutes, and can be cancelled at any time.

If the 3CX Firewall Checker starts reporting issues after the first few ports have been checked, try disabling the port scan check on your firewall while running the test.

3CX Firewall Checker Tests

The 3CX Firewall Checker will check for connectivity by making requests to the STUN servers.

Internet Reachability Test

This test checks basic internet connectivity and if the STUN server is reachable.

Failure on this test:

  • Confirm your connection to the internet through a web browser
  • Check configuration of firewall – does it allow connections to the internet on the port being checked? View ports used by 3CX here.
  • Is your firewall configured to allow connections to the port being checked on both TCP an UDP?
  • Confirm correct STUN server in STUN server settings: “Settings” > “Network” > “Public IP”, or choose a different STUN server to test.
  • Ensure Windows Firewall is allowing connections on ports being checked.
  • Ports may be blocked by your ISP.

Inbound Connection Test

This test checks if a server on the internet can connect and communicate with 3CX on the port being checked. It is used to determine if one-to-one port forwarding is configured (which is required by the 3CX PBX).

If one test succeeds, but two fail:

  • Ensure your firewall/ router has static, one-to-one port forwarding configured.
  • Some ports require static port mapping for both TCP and UDP. Check 3CX ports for more information regarding this.

Results & Error Messages

“Success – Port forwarding is correctly implemented for this port. VoIP can work. This configuration is supported.”

All tests have completed and your current configuration is supported.

“STUN server has no second address.”

Your STUN server is configured incorrectly, and you will need to use another STUN server to run these tests.

“Failed – No response received or port mapping is closed. Port forwarding not configured correctly. “

Port Forwarding is not configured correctly for the port being checked. In this case VoIP Providers and Remote extensions WILL NOT WORK. Log in to your router / firewall and configure port forwarding by entering the ports required by 3CX and forwarding them to the IP Address of the 3CX Phone System machine.

 

“Failed – Firewall check failed. Some errors were detected. Please check your firewall configuration and try the test again.”

This message is displayed if some ports pass and others don’t, and will require further investigation as to which ports failed.

Ensure your firewall/ router is not forwarding connections to another IP address – all ports must be forwarded to the IP address of the 3CX phone system.

“Failed – Malformed response received – (aka Symmetric NAT). Port forwarding not correctly implemented.”

This message indicates that you do not have a one-to-one NAT required for VoIP providers, Bridges and external extensions to work.

“STUN server did not answer or port forwarding is not configured on your firewall.”

Possible reasons for this message:

  • STUN server is not reachable
  • STUN server is down
  • Port forwarding is not correctly configured.

“STUN server address cannot be resolved.”

The reason for this message could be a DNS issue, or the STUN server is no longer working.

“Failed – Malformed or no response received from configured STUN servers. Check your internet connection, DNS settings, or change STUN servers from Settings → Network → External IP Configuration section.”

Your firewall may be blocking packets, ensure port forwarding has been correctly configured.

“Failed – Port is in use by another application on this computer.” -OR- “SIP port is in use by process {0}. The 3CX Firewall checker requires the SIP port to be free.”

This message displays if the port being checked is currently in use.

To find out which process is using the port, type the following into command prompt (with “0000” replaced with the port number you need to check):

netstat -ano | findstr /I /C:”PID” /C:”:0000″

This command will give you a Process ID (PID), which can be used to identify the process by running the following command in command prompt (Replace “0” with the PID:

tasklist /fi “pid eq 0”

“STUN servers are not reachable. Cannot perform Firewall check. This configuration is not supported”

This message is generally caused by an internet connectivity problem.

  1. Login to 3CX Management Console
  2. Navigate to “Settings” > “Network” > “External IP Configuration”
  3. Change the STUN servers to one of the following:
    • stun.3cx.com
    • stun2.3cx.com
    • stun3.3cx.com
    • stun4.3cx.com