External extension not working when used with TLS and SRTP

Setup working with normal external extension. That means sip is on port 5060 udp and rtp is on 10000 to 20000. FreePBX is in the office. All the extensions in the office is working well. The extension at home using Grandstream Wave phone app is working well too.

Now comes the problem. Setup another external extension but this time, the setup is using sip on TLS port 5061 and srtp enabled on the extension. Tried making an external call and the external phone rings and is answerd, then in 30 seconds it gets cut. No audio is heard.

Go back to the sip on 5060 and normal rtp without encryption it works fine.

PJSIP has been disabled

What setting am I missing?

More testing done. This time only the sip TLS was activated. RTP is left the same.
This is the following error in the asterisk logs. But I when to the link and still do not understand what is wrong.
[2020-04-04 11:26:13] WARNING[2259] chan_sip.c: Retransmission timeout reached on transmission [email protected] for seqno 41 (Critical Response) – See this link wiki dot asterisk dot org(forwardSlash)wiki(forwardSlash)display(forwardSlash)AST(forwardSlash)SIP+Retransmissions
Packet timed out after 6401ms with no response
[2020-04-04 11:26:13] WARNING[2259] chan_sip.c: Hanging up call [email protected] - no reply to our critical packet (see this is a link wiki dot asterisk dot org/wiki/display/AST/SIP+Retransmissions).

This time TLS is active as well as SRTP.
I change the setting of “Qualify” from yes to no.
Now it is longer before getting cut. About 30secs.
The good news is that the both parties can hear each other.

I hope someone can help. I must be missing some setting.

1 Like

Did you forward the external ports on your firewall to the server?
Did you set up the ports in the Integrated Firewall to allow people outside the trusted range to access the ports (specifically 5061)?

1 Like

Yes. I have port forwarded the following ports to the ip address of the FreePBX15.
5061 tcp and udp.
10000 to 20000 tcp and udp

Temporarily the firewall has been deactivated for testing this.

Using grandstream wave app on android phone.
The extension is active. I can call an external mobile number.
The mobile phone rings. After answering the phone, there is no audio.

Next tried the unsecure way. Port forwarded 5060 with no tls and no srtp.
The extension is active. I can call an external mobile number.
The mobile phone rings. Can hear audio. Continued conversion for 60 secs to see if it gets cut off.
It does not get cut off.

I am guessing it is not the NAT. What else can I check?

When I read your reply, I am very happy to get a response. I do appreciate you taking the time. Thank you very much for helping.

It’s the NAT.

Turn on SIP debugging to see.

Until then, my guess is you have SIP ALGon your firewall that is fixing the plain SIP but is not modifying the encrypted SIP (it cannot).

30 second timeout is probably a lost ACK request due to NAT settings misconfiguration or firewall block which you have already examined.

1 Like

I will search the internet on how to activate the logs for sip debugging.

I checked my router and found some mistakes by me.
I set for example 6666 --> 5061 in port forwarding.
Some how that does not work. Then I set 5061 --> 5061 and it works.

Next tried setting the sip tls port in sip setting page in freepbx to 6666 and change back the router to 6666 --> 6666. But does not work even after restarting the freepbx server.

Please note the firewall is off.

So finally the router is set to 5061 --> 5061 and freepbx sip is set to 5061.
Using Grandstream Wave app. It is set to use TLS and encrypted RTP. So far it is working.

FYI. The router is pfsense running the latest version.

I will experiment more. Could it be some setting in pfsense is causing this problem? But is another problem.

Once again thank you for replying. I do appreciate it.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.