Differences in NAT between chan_sip and pjsip?

PJSIP is causing me a real headache…
Are there any differences in packet markup?

Assume this setup:
Firewall with 3 Interfaces:

  • eth0: Internet ( 1.2.3.0/24 subnet)
  • eth2: Servernet
  • eth3: Officenet (192.168.0.0/24)
  • br0 Bridge between eth0 and eth2 (so the servernet is the public /24 subnet).
  • SNAT of 192.168.0.0/24 to 1.2.3.6
  • FreePBX on 1.2.3.110
  • Phone1 with two extensions (31: pjsip 32: chan_sip) connected from Officenet to FreePBX. Use of Stun-Server, so Asterisk shows the correct IP (1.2.3.6).

I call with a Softclient from Outside (Handy without NAT or something) both extensions. chan_sip is working, pjsip is not. The call reaches FreePBX bot not the phone. Regardless if I use chan_sip or pjsip on the phone.

I investigated with tcpdump. In both cases the INVITE packet reaches the interface eth2 with Dest-IP 1.2.3.6 and Port 3072. SNAT is resolved and both packets are visible on br0 with the correct internal IP 192.168.0.168.
But then and I have no clue why, the chan_sip packet is routed to eth3 and the pjsip packet is not. There are no differences in firewalling. 5060 and 5061 is allowed, both packets are neither rejected nor dropped. But one reaches eth3 and the other does not. So PJSIP keeps sending INVITEs without reaching the phone.

Conntrack seems right, too.

[email protected]:~# grep 3072 /proc/net/ip_conntrack
udp      17 143 src=192.168.0.168 dst=1.2.3.110 sport=3072 dport=5061 src=1.2.3.110 dst=1.2.3.6 sport=5061 dport=3072 [ASSURED] mark=0 use=2
udp      17 3584 src=192.168.0.168 dst=1.2.3.110 sport=3072 dport=5060 src=1.2.3.110 dst=1.2.3.6 sport=5060 dport=3072 [ASSURED] mark=0 use=2

Edit: It does not matter which device I use as phone. Tried a Snom phone, a grandstream phone and CSipSimple on Android. Always the same: SIP works, PJSIP does not. Without NAT PJSIP does also work.
Probably it is related to the bridge setup. Tried no other NAT but think it will work on a simple NAT.
I does not matter if SIP and PJSIP are registered at one time, it is the same if only one device with PJSIP is registered.

I would take this issue to the asterisk guys and open a bug report.

I don´t think this is a bug in Asterisk or FreePBX, must be something at my side. My firewall routes this packet wrong and I don´t know why.
Just did a test with another (simple) NAT and it works without problems.

Of course this problem is not really related to FreePBX but I thought perhaps someone has any idea where to have a look on.

Might be stupid, but i wondered if you had opened 4000+ ports for PJSIP RTP media? I mean port range starting from 4000 and above?

Problem is that even the first SIP INVITE packet does not reach the phone. There is no RTP established at this time. But the Registration packets go the same way and there is no problem. Very mysterious.
But no, it is a test server and there were not more than two calls.

I guess this is routing related problem, not pjsip. I’ve tested double NAT’ed devices. Works well.
Could tcp 5060 port be telneted from office network?

It seems reverting SNAT doesn’t work correctly. We can reach asterisk from network behind NAT but stub otherwise… I’ve never seen this kind of problem before.

No, tcp is not routed but all the packets are udp, so it should be no problem. I thought SNAT-Reversion must be the problem, too. But I see the correct reverted IP on the brdige interface.

It becomes stranger and stranger. It seems as only Port 5060 PJSIP is a problem. I exchanged to PJSIP 5061 and SIP 5060. Both working. BOTH. Reverted -> PJSIP no longer working.
Moved PJSIP to 5000. Working…

I will recheck my firewall and reboot it, but I can´t explain this behaviour. 5060 as chan_sip is working. Double-rechecked.

Edit: As expected: Reboot did not change anything and there is nothing strange in iptables rules:

[email protected]:~# iptables -t nat -nL | grep -E '506[0-9]'
[email protected]:~# iptables -t mangle -nL | grep -E '506[0-9]'
[email protected]:~# iptables -nL | grep -E '506[0-9]'
LOG        udp  --  0.0.0.0/0            1.2.3.110        udp dpts:5060:5061 LOG flags 0 level 6 prefix "fwbuilder: voip: "
LOG        udp  --  1.2.3.110        0.0.0.0/0            udp dpts:5060:5061 LOG flags 0 level 6 prefix "fwbuilder: voip: "
ACCEPT     udp  --  0.0.0.0/0            1.2.3.110        udp dpts:5060:5061 state NEW

Put PJSIP back on 5060 and restart asterisk and test.

As claimed in the SIP Setting Dialog I always restarted asterisk if I changed something on transport section (ports)

Edit: And I already reverted to 5060. This is really weird. I will give it a try to disable chan_sip.
Edit 2: Does not work either with pjsip on 5060 and chan_sip unloaded

Edit 3: I opened an issue at asterisk.org but I suspect they will immediately close it again :smiley:
https://issues.asterisk.org/jira/browse/ASTERISK-24149
It is really difficult to explain and to reproduce so I don´t think there will be much acitivity.
If someone has a good idea what I could check. please fell free to post

I wondered if any changes have happened?