Can't Connect Cisco SPA504G using PJSIP TLS

1

Hi there,

I’m hoping for a bit of help as I’m struggling to get a Cisco SPA504G to connect to FreePBX 14 using PJSIP TLS and SRTP. The extension wont register at all and I don’t see anything in Asterisk’s console.

  • The PBX has a FQDN and a certificate from Go-Daddy.
  • The certificate has been installed correctly within FreePBX.
  • I get no certificate errors when browsing the HTTPS FreePBX web page.
  • I have updated the Firmware of the Cisco SPA504G to 7.6.2 which I believe is the latest version.

In Asterisk SIP Settings > Chan PJSIP:

  • I have selected the correct certificate
  • SSL Method is set to Default
  • Verify Client is set to Yes
  • Verify Server is set to Yes
  • tls 0.0.0.0 is set to Yes
  • Changed the port to listen on a non-standard port

In the Extension Settings > Advanced Tab:

  • Set the transport to tls
  • Set Media Encryption to SRTP via in-SDP (recommended)
  • Set Allow Non-Encrypted Media to No

I believe FreePBX, the Extension and Firewall etc settings are OK as I am able to successfully connect using Bria with TLS and make/receive encrypted calls. I just can’t get the Cisco SPA504G phone to play ball.

Screenshots from the SPA504G are below:

image
image890×620 46.8 KB

image
image888×633 47.9 KB

image
image882×386 25.6 KB

If I change the SIP Transport back to TCP and port then the phone is able to connect (although I need to enable Allow Non-Encrypted Media)

2

My first thought as I was reading this was “this only works over TCP”. I don’t remember why, but IIRC, you are going to end up using TCP for this.

3

I’ve tried changing SIP Transport to TCP, keeping the 5xxxx TLS port however the extension still fails to register.

Any other ideas?

Thanks,
Fraser

4

I did a quick search for SPA504 and TLS and came up with a couple of articles. Searching for TLS should give you some more insight. I’m pretty sure this topic has come up before.

5

I did search the forums but I couldn’t find anything.

I may have this working however with the following settings on the Cisco SPA504G:

The extension registers and I am able to make/receive calls. When the call connects, I hear 3 bleeps.

image
image733×437 9.66 KB

Is there any way I can check in the Asterisk Console that the call and media are encrypted? I’m not very familiar with Wireshark.

[root@PBX1 /]# asterisk -vvvvvvvvvvr
Asterisk 13.22.0, Copyright (C) 1999 - 2014, Digium, Inc. and others.
Created by Mark Spencer [email protected]
Asterisk comes with ABSOLUTELY NO WARRANTY; type ‘core show warranty’ for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type ‘core show license’ for details.
=========================================================================
Connected to Asterisk 13.22.0 currently running on PBX1 (pid = 16876)
PBX1CLI>
PBX1CLI>
PBX1*CLI>
== Setting global variable ‘SIPDOMAIN’ to ‘pbx.xxxxxxxxxxxx.com
== Using SIP RTP Audio TOS bits 184
== Using SIP RTP Audio TOS bits 184 in TCLASS field.
== Using SIP RTP Audio CoS mark 5
– Executing [0782xxxxxxx@from-internal:1] Macro(“PJSIP/1203-00000882”, “user-callerid,LIMIT,EXTERNAL,”) in new stack
– Executing [s@macro-user-callerid:1] Set(“PJSIP/1203-00000882”, “TOUCH_MONITOR=1553877727.13473”) in new stack
– Executing [s@macro-user-callerid:2] Set(“PJSIP/1203-00000882”, “AMPUSER=1203”) in new stack
– Executing [s@macro-user-callerid:3] GotoIf(“PJSIP/1203-00000882”, “0?report”) in new stack
– Executing [s@macro-user-callerid:4] ExecIf(“PJSIP/1203-00000882”, “1?Set(REALCALLERIDNUM=1203)”) in new stack
– Executing [s@macro-user-callerid:5] Set(“PJSIP/1203-00000882”, “AMPUSER=1203”) in new stack
– Executing [s@macro-user-callerid:6] GotoIf(“PJSIP/1203-00000882”, “0?limit”) in new stack
– Executing [s@macro-user-callerid:7] Set(“PJSIP/1203-00000882”, “AMPUSERCIDNAME=Fraser Test”) in new stack
– Executing [s@macro-user-callerid:8] ExecIf(“PJSIP/1203-00000882”, “0?Set(__CIDMASQUERADING=TRUE)”) in new stack
– Executing [s@macro-user-callerid:9] GotoIf(“PJSIP/1203-00000882”, “0?report”) in new stack
– Executing [s@macro-user-callerid:10] Set(“PJSIP/1203-00000882”, “AMPUSERCID=1203”) in new stack
– Executing [s@macro-user-callerid:11] Set(“PJSIP/1203-00000882”, “__DIAL_OPTIONS=HhTtr”) in new stack
– Executing [s@macro-user-callerid:12] Set(“PJSIP/1203-00000882”, “CALLERID(all)=“Fraser Test” <1203>”) in new stack
– Executing [s@macro-user-callerid:13] GotoIf(“PJSIP/1203-00000882”, “0?limit”) in new stack
– Executing [s@macro-user-callerid:14] ExecIf(“PJSIP/1203-00000882”, “1?Set(GROUP(concurrency_limit)=1203)”) in new stack
– Executing [s@macro-user-callerid:15] ExecIf(“PJSIP/1203-00000882”, “0?Set(CHANNEL(language)=)”) in new stack
– Executing [s@macro-user-callerid:16] NoOp(“PJSIP/1203-00000882”, “Macro Depth is 1”) in new stack
– Executing [s@macro-user-callerid:17] GotoIf(“PJSIP/1203-00000882”, “1?report2:macroerror”) in new stack
– Goto (macro-user-callerid,s,18)
– Executing [s@macro-user-callerid:18] GotoIf(“PJSIP/1203-00000882”, “1?continue”) in new stack
– Goto (macro-user-callerid,s,37)
– Executing [s@macro-user-callerid:37] Set(“PJSIP/1203-00000882”, “CALLERID(number)=1203”) in new stack
– Executing [s@macro-user-callerid:38] Set(“PJSIP/1203-00000882”, “CALLERID(name)=Fraser Test”) in new stack
– Executing [s@macro-user-callerid:39] GotoIf(“PJSIP/1203-00000882”, “0?cnum”) in new stack
– Executing [s@macro-user-callerid:40] Set(“PJSIP/1203-00000882”, “CDR(cnam)=Fraser Test”) in new stack
– Executing [s@macro-user-callerid:41] Set(“PJSIP/1203-00000882”, “CDR(cnum)=1203”) in new stack
– Executing [s@macro-user-callerid:42] Set(“PJSIP/1203-00000882”, “CHANNEL(language)=en”) in new stack
– Executing [0782xxxxxxx@from-internal:2] Gosub(“PJSIP/1203-00000882”, “sub-record-check,s,1(out,0782xxxxxxx,dontcare)”) in new stack
– Executing [s@sub-record-check:1] GotoIf(“PJSIP/1203-00000882”, “0?initialized”) in new stack
– Executing [s@sub-record-check:2] Set(“PJSIP/1203-00000882”, “__REC_STATUS=INITIALIZED”) in new stack
– Executing [s@sub-record-check:3] Set(“PJSIP/1203-00000882”, “NOW=1553877727”) in new stack
– Executing [s@sub-record-check:4] Set(“PJSIP/1203-00000882”, “__DAY=29”) in new stack
– Executing [s@sub-record-check:5] Set(“PJSIP/1203-00000882”, “__MONTH=03”) in new stack
– Executing [s@sub-record-check:6] Set(“PJSIP/1203-00000882”, “__YEAR=2019”) in new stack
– Executing [s@sub-record-check:7] Set(“PJSIP/1203-00000882”, “__TIMESTR=20190329-164207”) in new stack
– Executing [s@sub-record-check:8] Set(“PJSIP/1203-00000882”, “__FROMEXTEN=1203”) in new stack
– Executing [s@sub-record-check:9] Set(“PJSIP/1203-00000882”, “__MON_FMT=wav”) in new stack
– Executing [s@sub-record-check:10] NoOp(“PJSIP/1203-00000882”, “Recordings initialized”) in new stack
– Executing [s@sub-record-check:11] ExecIf(“PJSIP/1203-00000882”, “0?Set(ARG3=dontcare)”) in new stack
– Executing [s@sub-record-check:12] Set(“PJSIP/1203-00000882”, “REC_POLICY_MODE_SAVE=”) in new stack
– Executing [s@sub-record-check:13] ExecIf(“PJSIP/1203-00000882”, “0?Set(REC_STATUS=NO)”) in new stack
– Executing [s@sub-record-check:14] GotoIf(“PJSIP/1203-00000882”, “3?checkaction”) in new stack
– Goto (sub-record-check,s,17)
– Executing [s@sub-record-check:17] GotoIf(“PJSIP/1203-00000882”, “1?sub-record-check,out,1”) in new stack
– Goto (sub-record-check,out,1)
– Executing [out@sub-record-check:1] NoOp(“PJSIP/1203-00000882”, “Outbound Recording Check from 1203 to 0782xxxxxxx”) in new stack
– Executing [out@sub-record-check:2] Set(“PJSIP/1203-00000882”, “RECMODE=force”) in new stack
– Executing [out@sub-record-check:3] ExecIf(“PJSIP/1203-00000882”, “0?Goto(routewins)”) in new stack
– Executing [out@sub-record-check:4] ExecIf(“PJSIP/1203-00000882”, “0?Goto(routewins)”) in new stack
– Executing [out@sub-record-check:5] Gosub(“PJSIP/1203-00000882”, “recordcheck,1(force,out,0782xxxxxxx)”) in new stack
– Executing [recordcheck@sub-record-check:1] NoOp(“PJSIP/1203-00000882”, “Starting recording check against force”) in new stack
– Executing [recordcheck@sub-record-check:2] Goto(“PJSIP/1203-00000882”, “force”) in new stack
– Goto (sub-record-check,recordcheck,5)
– Executing [recordcheck@sub-record-check:5] Set(“PJSIP/1203-00000882”, “__REC_POLICY_MODE=FORCE”) in new stack
– Executing [recordcheck@sub-record-check:6] GotoIf(“PJSIP/1203-00000882”, “1?startrec”) in new stack
– Goto (sub-record-check,recordcheck,16)
– Executing [recordcheck@sub-record-check:16] NoOp(“PJSIP/1203-00000882”, “Starting recording: out, 0782xxxxxxx”) in new stack
– Executing [recordcheck@sub-record-check:17] Set(“PJSIP/1203-00000882”, “__CALLFILENAME=out-0782xxxxxxx-1203-20190329-164207-1553877727.13473”) in new stack
– Executing [recordcheck@sub-record-check:18] MixMonitor(“PJSIP/1203-00000882”, “2019/03/29/out-0782xxxxxxx-1203-20190329-164207-1553877727.13473.wav,abi(LOCAL_MIXMON_ID),”) in new stack
– Executing [recordcheck@sub-record-check:19] Set(“PJSIP/1203-00000882”, “__MIXMON_ID=0x7efecc002140”) in new stack
== Begin MixMonitor Recording PJSIP/1203-00000882
– Executing [recordcheck@sub-record-check:20] Set(“PJSIP/1203-00000882”, “__RECORD_ID=PJSIP/1203-00000882”) in new stack
– Executing [recordcheck@sub-record-check:21] Set(“PJSIP/1203-00000882”, “__REC_STATUS=RECORDING”) in new stack
– Executing [recordcheck@sub-record-check:22] Set(“PJSIP/1203-00000882”, “CDR(recordingfile)=out-0782xxxxxxx-1203-20190329-164207-1553877727.13473.wav”) in new stack
– Executing [recordcheck@sub-record-check:23] Return(“PJSIP/1203-00000882”, “”) in new stack
– Executing [out@sub-record-check:6] Return(“PJSIP/1203-00000882”, “”) in new stack
– Executing [0782xxxxxxx@from-internal:3] ExecIf(“PJSIP/1203-00000882”, “0 ?Set(CDR(accountcode)=)”) in new stack
– Executing [0782xxxxxxx@from-internal:4] Set(“PJSIP/1203-00000882”, “MOHCLASS=default”) in new stack
– Executing [0782xxxxxxx@from-internal:5] Set(“PJSIP/1203-00000882”, “_NODEST=”) in new stack
– Executing [0782xxxxxxx@from-internal:6] Macro(“PJSIP/1203-00000882”, “dialout-trunk,1,0782xxxxxxx,off”) in new stack
– Executing [s@macro-dialout-trunk:1] Set(“PJSIP/1203-00000882”, “DIAL_TRUNK=1”) in new stack
– Executing [s@macro-dialout-trunk:2] ExecIf(“PJSIP/1203-00000882”, “0?Set(DIAL_OPTIONS=Hhtr)”) in new stack
– Executing [s@macro-dialout-trunk:3] GosubIf(“PJSIP/1203-00000882”, “0?sub-pincheck,s,1()”) in new stack
– Executing [s@macro-dialout-trunk:4] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERID(num)=1203)”) in new stack
– Executing [s@macro-dialout-trunk:5] GotoIf(“PJSIP/1203-00000882”, “0?disabletrunk,1”) in new stack
– Executing [s@macro-dialout-trunk:6] Set(“PJSIP/1203-00000882”, “DIAL_NUMBER=0782xxxxxxx”) in new stack
– Executing [s@macro-dialout-trunk:7] Set(“PJSIP/1203-00000882”, “DIAL_TRUNK_OPTIONS=HhTtr”) in new stack
– Executing [s@macro-dialout-trunk:8] Set(“PJSIP/1203-00000882”, “OUTBOUND_GROUP=OUT_1”) in new stack
– Executing [s@macro-dialout-trunk:9] Set(“PJSIP/1203-00000882”, “DIAL_TRUNK_OPTIONS=T”) in new stack
– Executing [s@macro-dialout-trunk:10] GotoIf(“PJSIP/1203-00000882”, “1?nomax”) in new stack
– Goto (macro-dialout-trunk,s,12)
– Executing [s@macro-dialout-trunk:12] GotoIf(“PJSIP/1203-00000882”, “0?skipoutcid”) in new stack
– Executing [s@macro-dialout-trunk:13] Macro(“PJSIP/1203-00000882”, “outbound-callerid,1”) in new stack
– Executing [s@macro-outbound-callerid:1] NoOp(“PJSIP/1203-00000882”, “1203”) in new stack
– Executing [s@macro-outbound-callerid:2] NoOp(“PJSIP/1203-00000882”, “”) in new stack
– Executing [s@macro-outbound-callerid:3] NoOp(“PJSIP/1203-00000882”, “off”) in new stack
– Executing [s@macro-outbound-callerid:4] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERPRES(name-pres)=)”) in new stack
– Executing [s@macro-outbound-callerid:5] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERPRES(num-pres)=)”) in new stack
– Executing [s@macro-outbound-callerid:6] ExecIf(“PJSIP/1203-00000882”, “0?Set(REALCALLERIDNUM=1203)”) in new stack
– Executing [s@macro-outbound-callerid:7] ExecIf(“PJSIP/1203-00000882”, “0?Set(AMPUSER=1203)”) in new stack
– Executing [s@macro-outbound-callerid:8] GotoIf(“PJSIP/1203-00000882”, “1?normcid”) in new stack
– Goto (macro-outbound-callerid,s,12)
– Executing [s@macro-outbound-callerid:12] Set(“PJSIP/1203-00000882”, “USEROUTCID=“0141xxxxxxx””) in new stack
– Executing [s@macro-outbound-callerid:13] Set(“PJSIP/1203-00000882”, “EMERGENCYCID=”) in new stack
– Executing [s@macro-outbound-callerid:14] Set(“PJSIP/1203-00000882”, “TRUNKOUTCID=”) in new stack
– Executing [s@macro-outbound-callerid:15] GotoIf(“PJSIP/1203-00000882”, “1?trunkcid”) in new stack
– Goto (macro-outbound-callerid,s,20)
– Executing [s@macro-outbound-callerid:20] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERID(all)=)”) in new stack
– Executing [s@macro-outbound-callerid:21] ExecIf(“PJSIP/1203-00000882”, “1?Set(CALLERID(all)=“0141xxxxxxx”)”) in new stack
– Executing [s@macro-outbound-callerid:22] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERID(all)=)”) in new stack
– Executing [s@macro-outbound-callerid:23] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERPRES(name-pres)=prohib_passed_screen)”) in new stack
– Executing [s@macro-outbound-callerid:24] ExecIf(“PJSIP/1203-00000882”, “0?Set(CALLERPRES(num-pres)=prohib_passed_screen)”) in new stack
– Executing [s@macro-outbound-callerid:25] Set(“PJSIP/1203-00000882”, “CDR(outbound_cnum)=”) in new stack
– Executing [s@macro-outbound-callerid:26] Set(“PJSIP/1203-00000882”, “CDR(outbound_cnam)=0141xxxxxxx”) in new stack
– Executing [s@macro-dialout-trunk:14] GosubIf(“PJSIP/1203-00000882”, “0?sub-flp-1,s,1()”) in new stack
– Executing [s@macro-dialout-trunk:15] Set(“PJSIP/1203-00000882”, “OUTNUM=0782xxxxxxx”) in new stack
– Executing [s@macro-dialout-trunk:16] Set(“PJSIP/1203-00000882”, “custom=SIP/SipTrunk”) in new stack
– Executing [s@macro-dialout-trunk:17] ExecIf(“PJSIP/1203-00000882”, “0?Set(DIAL_TRUNK_OPTIONS=M(setmusic^default)T)”) in new stack
– Executing [s@macro-dialout-trunk:18] ExecIf(“PJSIP/1203-00000882”, “0?Set(DIAL_TRUNK_OPTIONS=TM(confirm))”) in new stack
– Executing [s@macro-dialout-trunk:19] Macro(“PJSIP/1203-00000882”, “dialout-trunk-predial-hook,”) in new stack
– Executing [s@macro-dialout-trunk-predial-hook:1] MacroExit(“PJSIP/1203-00000882”, “”) in new stack
– Executing [s@macro-dialout-trunk:20] GotoIf(“PJSIP/1203-00000882”, “0?bypass,1”) in new stack
– Executing [s@macro-dialout-trunk:21] ExecIf(“PJSIP/1203-00000882”, “1?Set(CONNECTEDLINE(num,i)=0782xxxxxxx)”) in new stack
– Executing [s@macro-dialout-trunk:22] GotoIf(“PJSIP/1203-00000882”, “0?customtrunk”) in new stack
– Executing [s@macro-dialout-trunk:23] Dial(“PJSIP/1203-00000882”, “SIP/SipTrunk/0782xxxxxxx,300,Tb(func-apply-sipheaders^s^1,(1))”) in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
– SIP/SipTrunk-000003de Internal Gosub(func-apply-sipheaders,s,1(1)) start
– Executing [s@func-apply-sipheaders:1] NoOp(“SIP/SipTrunk-000003de”, “Applying SIP Headers to channel SIP/SipTrunk-000003de”) in new stack
– Executing [s@func-apply-sipheaders:2] Set(“SIP/SipTrunk-000003de”, “TECH=SIP”) in new stack
– Executing [s@func-apply-sipheaders:3] Set(“SIP/SipTrunk-000003de”, “SIPHEADERKEYS=”) in new stack
– Executing [s@func-apply-sipheaders:4] While(“SIP/SipTrunk-000003de”, “0”) in new stack
– Jumping to priority 11
– Executing [s@func-apply-sipheaders:12] Return(“SIP/SipTrunk-000003de”, “”) in new stack
== Spawn extension (from-trunk-sip-SipTrunk, 0782xxxxxxx, 1) exited non-zero on ‘SIP/SipTrunk-000003de’
– SIP/SipTrunk-000003de Internal Gosub(func-apply-sipheaders,s,1(1)) complete GOSUB_RETVAL=
– Called SIP/SipTrunk/0782xxxxxxx
0x7efecc033ee0 – Strict RTP learning after remote address set to: 185.x.x.x:14876
– SIP/SipTrunk-000003de is making progress passing it to PJSIP/1203-00000882
0x7eff200afea0 – Strict RTP learning after remote address set to: 192.168.x.x:16458
0x7eff200afea0 – Strict RTP qualifying stream type: audio
0x7eff200afea0 – Strict RTP switching source address to 84.xx.xx.xx:36842
0x7efecc033ee0 – Strict RTP switching to RTP target address 185.x.x.x:14876 as source
0x7eff200afea0 – Strict RTP learning complete - Locking on source address 84.xx.xx.xx:36842
0x7efecc033ee0 – Strict RTP learning complete - Locking on source address 185.x.x.x:14876
– SIP/SipTrunk-000003de answered PJSIP/1203-00000882
– Channel SIP/SipTrunk-000003de joined ‘simple_bridge’ basic-bridge
– Channel PJSIP/1203-00000882 joined ‘simple_bridge’ basic-bridge
– Channel PJSIP/1203-00000882 left ‘simple_bridge’ basic-bridge
– Channel SIP/SipTrunk-000003de left ‘simple_bridge’ basic-bridge
== Spawn extension (macro-dialout-trunk, s, 23) exited non-zero on ‘PJSIP/1203-00000882’ in macro ‘dialout-trunk’
== Spawn extension (from-internal, 0782xxxxxxx, 6) exited non-zero on ‘PJSIP/1203-00000882’
– Executing [h@from-internal:1] Macro(“PJSIP/1203-00000882”, “hangupcall”) in new stack
– Executing [s@macro-hangupcall:1] GotoIf(“PJSIP/1203-00000882”, “1?theend”) in new stack
– Goto (macro-hangupcall,s,3)
– Executing [s@macro-hangupcall:3] ExecIf(“PJSIP/1203-00000882”, “0?Set(CDR(recordingfile)=)”) in new stack
– Executing [s@macro-hangupcall:4] NoOp(“PJSIP/1203-00000882”, “SIP/SipTrunk-000003de monior file= /var/spool/asterisk/monitor/2019/03/29/out-0782xxxxxxx-1203-20190329-164207-1553877727.13473.wav”) in new stack
– Executing [s@macro-hangupcall:5] AGI(“PJSIP/1203-00000882”, “attendedtransfer-rec-restart.php,SIP/SipTrunk-000003de,/var/spool/asterisk/monitor/2019/03/29/out-0782xxxxxxx-1203-20190329-164207-1553877727.13473.wav”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/attendedtransfer-rec-restart.php
– <PJSIP/1203-00000882>AGI Script attendedtransfer-rec-restart.php completed, returning 0
– Executing [s@macro-hangupcall:6] Hangup(“PJSIP/1203-00000882”, “”) in new stack
== Spawn extension (macro-hangupcall, s, 6) exited non-zero on ‘PJSIP/1203-00000882’ in macro ‘hangupcall’
== Spawn extension (from-internal, h, 1) exited non-zero on ‘PJSIP/1203-00000882’
== MixMonitor close filestream (mixed)
== End MixMonitor Recording PJSIP/1203-00000882

Thanks,
Fraser

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.