External Phone Connection Issue - FreePBX 17

We have a bit of an odd situation with our extensions. We have four pjsip extensions at the location where the phone server is located, and we have two remote pjsip extensions. The handsets are all vTech VSP726.

All six of the extensions will register with the PBX server (they show as “Registered” on the handsets and “Avail” / “Not in use” in the PBX server.

Calling a phone number using the trunk works just fine on the internal and external phones.

Using an internal phone to call the extension of an external phone goes straight to voicemail.

Using an external phone to call the extension of an internal phone will ring through, we can pick up, but there is no audio (incoming/outgoing on either handset).

Under Settings → Asterisk Sip Settings, our “External Address” is our fiber public facing IP address; and the “Local Networks” show 192.168.0.0/24 (all devices on the internal network are on 192.168.0.XXX).

The “Rewrite Contact” for each extension under the “Advanced” tab is marked “yes”.

The RTP ports under the SIP settings (ports 5060 and 10000-20000) are all configured in our router to forward to the internal IP address of the FreePBX server.

We have tried turning off and disabling the firewall and Fail2ban to get this to work, but we don’t see any changes.

Thus, we’re not sure what is going on, and don’t know how to get the external extensions working.

Any help would be greatly appreciated - we installed on Debian 12.6 using the standard installation instructions provided on FreePBX 17 (we had a similar issue with version 16 as well).

Your router isn’t properly handling incoming SIP

What I think is happening here is you have an external extension trying to call an internal extension so it’s sending an attempt to connect to extension@internalnumber through the connection you have port forwarded. All of that is working - but then along comes a UDP data stream from the phone to your router and the translation code in your router is very confused and it’s either sending it to the PBX when it’s supposed to be sending it to the phone or vis-versa

You said you have a fiber facing public IP. Are we talking some residential toy SOHO thing like a fios connection with a combined fiber mux/firewall/address translating/whatever router piece of junk supplied by the ISP, or is it a real Enterprise fiber connection terminating in an ISP-owned router that hands off to you a public IP or subnet via Ethernet? And then you have your own router doing the address translation?

We have an ATT business fiber line. The device supplied by the ISP forwards everything to our router (Asus RT-AC3100), including the IP, which our router picks up under the WAN IP field on the main page.

We rebooted the PBX server and one problem went away - the external phone calling the extension of the internal phone now works - we have audio.:person_shrugging:

Regarding the remaining problem, there seems to be some issue with the PBX server finding the external phones. Using an internal phone to dial the extension of an external phone still goes straight to voicemail.

Moreover, if we add the extension of an external phone to our incoming caller group, the external phone won’t ring (but the extensions having an internal phone ring just fine).

My gut says there’s some configuration within PBX that will rectify this issue - our old PBX system (which was supplied by another mfg) used to connect to the remote phones just fine.

I did a line-by-line comparison of the logs from a call from an internal extension to an external extension, and vice versa, and the log files are basically identical, except for the below (which may be of interest solving this problem):

*** Note - Extension 102 is external and Extension 106 is internal.

External to Internal - working
Executing [dstring@macro-dial-one:12] Set(“PJSIP/102-00000063”, “THISDIAL=PJSIP/106/sip:[email protected]:5060”) in new stack

Internal to External - not-working
Executing [dstring@macro-dial-one:12] Set(“PJSIP/106-0000006c”, “THISDIAL=PJSIP/102/sip:[email protected]:5060;x-ast-orig-host=192.168.0.236:0”) in new stack

Then the difference appears again a few lines later:

External to Internal - working
Executing [106@dialOne-with-exten:1] Dial(“PJSIP/102-00000063”, “PJSIP/106/sip:[email protected]:5060,15,HhTtrb(func-apply-sipheaders^s^1)”) in new stack

Internal to External - not-working
Executing [102@dialOne-with-exten:1] Dial(“PJSIP/106-0000006c”, “PJSIP/102/sip:[email protected]:5060;x-ast-orig-host=192.168.0.236:0,15,HhTtrb(func-apply-sipheaders^s^1)”) in new stack

Then we see at the end:

External to Internal - working
app_dial.c: PJSIP/106-00000064 is ringing
app_dial.c: PJSIP/106-00000064 answered PJSIP/102-00000063

Internal to External - not-working
app_dial.c: Called PJSIP/102/sip:[email protected]:5060;x-ast-orig-host=192.168.0.236:0
app_stack.c: PJSIP/102-0000006d Internal Gosub(app-missedcall-hangup,102,1) start

I tried the same thing with a different external extension (112) , and we got the following:

Executing [dstring@macro-dial-one:12] Set(“PJSIP/106-00000074”, “THISDIAL=PJSIP/112/sip:[email protected]:5060;x-ast-orig-host=192.168.1.229:0”) in new stack

It looks like the “x-ast-orig-host=” header is referencing the local IP address of the external phone. This external extension also goes straight to voicemail.

Not sure if this information means anything re determining the issue.

hard to know what xx.xx.xx.xx and yy.yy.yy.yy are :wink:

Sorry, the xx.xx.xx.xx and yy.yy.yy.yy are the public IP addresses for the remote phones. I just redacted them like others have done on the forum.

Please try:

For the remote extensions, set Direct Media to No and Max Contacts to 4.

In the remote VSP726 phones, set Expiration to 120, Enable STUN (unchecked), Enable STUN Keep-Alive (checked), Keep-Alive Interval to 30.

In both the remote routers and the AC3100, turn off any SIP ALG or SIP Passthrough function. This is for a different model but may be useful:

Please post the make/model of the remote routers.

If you still have trouble:

Look at the Asterisk log (/var/log/asterisk/full) when the system is idle and check whether there are entries for extensions 102 and 112 unreachable/reachable or contacts being added/removed. If so, post a relevant section of the log.

Otherwise, at the Asterisk command prompt, type
pjsip set logger on
make a failing internal to external call, paste the Asterisk log for the call at pastebin.com and post the link here.

@Stewart1 - thanks for the suggestions.

Actually, checking the box next to “Enable STUN” and adding a public Server Address from Google did the trick. I got there after installing Zoiper on my cell phone, which worked remotely out of the box, and then comparing the Zoiper settings to those on the remote desktop phone (the only difference that I could see offhand is that Zoiper had STUN enabled). Thank you.

I’m glad that you got it working, but IMO it’s worth a quick look to see if you can easily eliminate the requirement for STUN. While the Google STUN servers are damn reliable (using an anycast address, just like 8.8.8.8 for DNS), there is still a possibility that the DNS lookup of stun.l.google.com could fail, or a temporary routing issue could cause it to be unreachable. Also, the underlying issue would likely make the system incompatible with some trunking providers.

When a phone sends out a REGISTER request, the Via header tells the server where to send the reply and the Contact header says where to send incoming calls. Without STUN, these are the private address of the phone; STUN tells the phone its public IP and the phone puts it in both headers.

The Force rport option in Asterisk causes the response to be sent back to whatever address and port the request came from, and the Rewrite Contact option causes that address/port to be saved as the destination for incoming calls. Both of these are Yes by default, so the end result should be the same with or without STUN.

So why is STUN helping? My first guess would be a SIP ALG in the remote router, though a misconfiguration of phone or PBX, or a FreePBX bug, is also possible.

Take a look at the Asterisk log from before you enabled STUN (by default, FreePBX keeps a week’s worth). Does it show unreachable/reachable, or changing contacts?

It would be great to get it working without having to use STUN (calls to the external extensions take 2 maybe 3 rings to connect), which is unlike before.

FYI - the Force rport and Rewrite Contact settings are (and have been) both set to “Yes”.

The SIP ALG (“SIP Passthrough”) in both routers (where the PBX is set up and where the external phone is located) are both (and have been) “Disabled”.

Tonight I started the log file, which is attached here: 1[2024-08-24 00:00:02] Asterisk 21.4.1 built by jenkins @ 2d4a220bf72f on a x86_ - Pastebin.com

I had to change the setting on the external phone to uncheck STUN - this happened around line 7 where it says the phone is “unreachable” - I saw the handset disconnect and then register again. I’ve seen this happen before when changing settings on the phone.

A second later lines 9 and 10 show that the extension is once again “Reachable”.

I then tried to call remote extension 112 from extension 120, which I believe the log file starts at about line 11 onward. The call went straight to voicemail again.

I don’t see anything in the log related to the extension being “unreachable” or “changing contacts”

Line 228 seems to show the call to 112 properly initiated, but line 241 shows the call was rejected, within the same second.

At the Asterisk command prompt, type
pjsip set logger on
attempt the call again and paste a new log. If possible, restart the phone before making the call (as you did previously), so the log will also show a REGISTER request and the responses thereto.

It sounds like maybe your port forwarded on the router is not set up correctly or maybe there is something else on the router that is filtering/blocking it. You said you are forwarding RTP port 5060. I am assuming you mean’t UDP port? Also check the UDP timeout setting and make sure it’s greater than 60 seconds.

The router is forwarding External Port 5060 and Internal Port 5060 (Protocol “Both”) to the internal server IP address.

Also, the router is forwarding External Port 10000:20000 (Protocol “UDP”) to the internal server IP address.

Where is the UDP timeout setting?

I’ll post the logs as requested by @Stewart1 next.

Here’s the latest: https://pastebin.com/DkYqTHaZ

I restarted the external remote phone (extension 112) around line 34000. After it restarted (toward the end - maybe around line 36225), I called it from extension 120 and it went straight to voicemail (“Enable STUN” on the VSP729 is unchecked).

Let me know if anything needs clarification. I redacted the public facing IP addresses again along with the domain/subdomain names.

The ‘latest’ link is not working; please re-paste.

You should not need to forward internal Port 5060 if the Server and internal phones are on the same subnet. I would remove that setting.

It looks like the moderators at pastebin took it down - it was working last night. I’ll try capturing the data again.

I removed the setting as indicated above, but that didn’t solve the issue.

By default, Asterisk logs are kept for a week, so you probably won’t have to do another test. Look for files in /var/log/asterisk named full-(date).

Somewhere in your routers settings. If it doesn’t have it for some reason you could also try shorten the Qualify Frequency in the external extensions advances settings on FreePBX. Default is 60 seconds. I would try change it to 20 seconds.

Also make sure that SIP NAT = yes in Settings > Advanced Settings > Device Settings.