Tls: err: connection refused

FreePBX 12.0.65 with Asterisk 12.8.1 built by mockbuild @ jenkins2.schmoozecom.net on a i686 running Linux on 2015-01-28 23:38:07 UTC

Hey everyone,

I’m having trouble setting up TLS to work with my Polycom IP550 phones. I am really hoping that I’ve just accidentally missed something here, but I think it’s deeper than I dare to dive.

I have my extension configured like so:

[7728]
deny=0.0.0.0/0.0.0.0
disallow=all
secret=[REDACTED]
dtmfmode=rfc2833
canreinvite=yes
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=pai
type=peer
nat=no
port=5061
qualify=yes
qualifyfreq=60
transport=tls
avpf=no
force_avp=no
icesupport=no
encryption=no
callgroup=
pickupgroup=
allow=g722
dial=SIP/7728
mailbox=7728@default
permit=0.0.0.0/0.0.0.0
callerid=Dispatch <7728>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic
dtlsenable=yes
dtlsverify=no
dtlscertfile=/etc/asterisk/keys/default.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
dtlsrekey=0

I have The following for sip_general_additional.conf

cat sip_general_additional.conf
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. ;
;--------------------------------------------------------------------------------;
; For information on adding additional paramaters to this file, please visit the ;
; FreePBX.org wiki page, or ask on IRC. This file was created by the new FreePBX ;
; BMO - Big Module Object. Any similarity in naming with BMO from Adventure Time ;
; is totally deliberate. ;
;--------------------------------------------------------------------------------;
accept_outofcall_message=yes
auth_message_requests=no
outofcall_message_context=dpma_message_context
faxdetect=no
vmexten=*97
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
useragent=FPBX-12.0.65(12.8.1)
disallow=all
allow=ulaw
allow=alaw
allow=g722
allow=gsm
allow=g726
tlsenable=yes
tlsbindaddr=10.0.0.10:5061
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=no
callevents=yes
rtpstart=10000
rtpend=20000
jbenable=no
defaultexpiry=120
minexpiry=60
notifyringing=yes
allowguest=no
srvlookup=no
maxexpiry=3600
registerattempts=0
registertimeout=20
rtptimeout=30
g726nonstandard=no
videosupport=no
maxcallbitrate=384
canreinvite=no
rtpholdtimeout=300
rtpkeepalive=0
checkmwi=10
notifyhold=yes
nat=no
ALLOW_SIP_ANON=no
externip=[REDACTED]
localnet=10.0.0.0/24

Is there anything obvious that i’m missing there or what can I do to resolve this? Everything works great when using standard chan_sip, but once I switch over to TLS, rebuild the configs and reboot the phone, I just get line unregistered.

In my phone log this is repeated over and over:

0530113753|sip |4|03|Registration failed User: 7728, Error Code:480 Temporarily not available
0530113917|sip |4|03|Registration failed User: 7728, Error Code:480 Temporarily not available

I tried using Blink, setup exactly as described in Asterisk: Secure Calling Tutorial.
Blink fails to register, and shows a “Connection Refused” error on every attempt.

Thanks in advance for any and all suggestions and help to get this going! Thank goodness for a great community!

Steve