408 Error with Softphone from External network

I can connect to my FreePBX server fine within my internal network, but not when I connect using my external IP address.

The softphone errors out with a 408 timeout error almost instantly.

I’m running behind pfsense and have the ports opened up which don’t seem to help with this issue.

This is the second server that I have the issue with. Another server hosted in Digital Ocean started doing the exact same thing recently. I don’t have internal access but from my home IP or mobile IP, it won’t register and gets the same timeout. In talking with Digital Ocean, ports are not blocked by them.

Does anyone have any ideas at this point?

Home FreePBX version is: Running Asterisk 11.7.0 (fresh install tonight)

Remote FreePBX version is: Running Asterisk 11.7.0 as well.

Did you try typing pfsense in the search box at the top of the page?

I did and didn’t see anything that applied in all honesty though.

I don’t think it is pfsense though for the following reasons as I sort of outlined in my first post:

  1. Server outside of my home FreePBX does the exact same thing.
  2. To check if my firewall (PFsense) was the issue, I hopped off the home network, onto my mobile network and tested with same results.
  3. I have also tried on several other internet services via hotspots one of which I manage and run at my job as an IT Tech so I know it isn’t filtered.

I’m pretty sure it’s the pfsense box, read all the threads that that search returns.

(but in any case it is a problem in your routers not NATing properly and sustainably, not FreePBX/Asterisk per se, there is more to read in the wiki here)

I’m sorry, but how can this be an issue with my routers not NAT’ing properly when Digital Ocean (hosting company) confirms they don’t filter any traffic and I attempt connections via my MOBILE network which is 4G LTE, and my work network is unfiltered as well as I had mentioned. If It was isolated to my pfsense box, I would be able to connect to my Digital Ocean hosted server via my mobile network at least.

I’m willing to accept that the home system may be messed up due to the pfsense box, even though ports are proper and the canyouseeme.org site confirms it sees the open port to my home server.

FWIW - about 1 week or so ago, things stopped working the external server so I am not sure if maybe an update went bad. This is why I installed the distro on my spare PC to test it and sure enough, same problem. I know others aren’t having this same issue, but you do see enough of a sprinkling on the net with similar 408 errors and asterisk itself.

To double check NAT on the external server which like I said up until a week or so worked with no changes other than rolled out updates, I did do an autodetect on the network first even though it was fine, and get the following error:

An Error occurred trying fetch network configuration and external IP address

Mind you, this is on an external front facing public network with a Static non shared IP on essentially a VPS. I’m not sure now if this would indicate some issue with the host in this case if FreePBX can’t autoconfigure the network IP under the SIP settings.

Anyone else have ideas based on what I have put in above?

A 408 is a timeout. Coming back instantly is bizarre as it should come back in the time the timeout is set for.

What you need to do on the FreePBX box is make sure that tcpdump is installed.

Go to the command line and run tcpdump -p 5060 The less you have active the better as you may get a ton of output. This will tell you if the packets are even hitting the FreePBX server.

Is there any chance that iptables and the intrusion detection of blocked ports.

Do a service fail2ban stop and a service iptables stop and see what happens.

FreePBX and Asterisk are network stack agnostic so you need to look beneath layer 4. If you don’t know what that means Google OSI Network Model.

After I stopped iptables and fail2ban, I was able to log in. Any ideas as to where I can edit that manually?

The /etc/sysconfig/iptables does not exist and from some quick Googling, looks like one has to be created to allow 5060 to be accessible from the outside world?

I don’t really want to turn off the iptables and fail2ban for security reasons.

By the way -

Your tcpdump command gives a syntax error. :slight_smile:

Also - seeing this now in the Asterisk console:

WARNING[1395]: chan_sip.c:3905 __sip_xmit: sip_xmit of 0xb5dfda18 (len 570) to returned -1: Operation not permitted

The .116 is my computer I am using. BUT…NOT SIGNED IN via any SIP clients on that PC or the Admin interface. Rebooting the server didn’t help.

Registration works fine on home PC, but not on Mobile Android using Zoiper and CSIPSimple. Same External IP as on the same network from home. Tried using my mobile network as well so not on my home network, same thing.

Geez, it’s ‘tcpdump port 5060’ but you figured that out anyway.

Do a ‘sip show settings’ from Asterisk and post the NAT/IP portion (redact some of the IP like the middle two octets but not all’

You must have a client trying to register that fail2ban is banning, check the log in /var/log/fail2ban.log

Here are my settings:

SIP address remapping: Enabled using externaddr
Externaddr: XXX.241.XXX.175:0
Externrefresh: 10
Localnet: XXX.241.XXX.0/

The fail2ban at the time I posted that message was turned off. I am still mystified by this as the Tcpdump shows my mobile device’s connect command just fine, but still timing out on the mobile side.

I appreciate everyone’s help in this. :wink:

I just did a clean/fresh install of this software to see if anything would change as the one I had was old and had been patched several times over the last few months with upgrades.

I followed this page verbatim for Centos 6.5 32-bit:


I am still having the same issue! No firewall rules yet to be set, no bans in place, and everything fresh and clean. Only thing I did was program an extension in so I could test it.

As per my first post, my host which is hosting this (Digital Ocean), is not blocking ports. And this will not work via Mobile network or home network so I know it isn’t my home firewall.

What does tcpdump show on the new system?

I am going to give up on this…

Work ISP was fine all of a sudden today. The Cellular connection is blocking SIP connections I am figuring out. I changed the port to 9095 as a test and it still doesn’t connect with the mobile network or at home. So, I will just put a Follow me in place to immediately connect callers to my cell phone for now until I can find a work around with my cell service where it is the most important to get calls on when I am mobile. Not so much at work and home.