External SIP Phones. AH HELP!

Warning: I am a newbie to Linux, FreePBX, and configuring SIP IP phones.

So we have Asterisk installed on CentOS. We also are using FreePBX and our trunks are provided by DirecPath. The phone models I’m using are Cisco 7940s and 7960s. I just converted the phones from SCCP to SIP v8.12 after finally getting my .cnf and .xml files straight. DHCP is working and the firewall settings have been triple-checked. All phones inside the network can successfully make calls, but outgoing voice is not working. I’m pretty sure I can get that solved, but I have a bigger problem on my hands. If someone has a suggestion to the outgoing voice issue, that would also be helpful. The problem described below is a bigger problem at the moment.

I upgraded my own 7940 to SIP v8.12 and brought it home, but cannot download files from my WinAgent TFTP server. The download shows up in the log, but times out. The TFTP server is in the same office that the Asterisk server is. From what I have been reading, you need NAT enabled for the external SIP phones to connect to the server through an external address. We have our sip.conf file modified to enable NAT, phones set to enable NAT, and the SIP.cnf files set to enable NAT. I do not have NAT enabled in SIPDefault.conf since the phones inside the network don’t need it. I have checked all of my network settings and everything is right as far as I can see.

If someone has any idea as to what I’m looking over or doing incorrectly, please help. A detailed checklist of instructions to connect external SIP phones to an office would be much appreciated. =) Feel free to ask as many questions as you need. I can also upload my config files if needed.

The Cisco’s are one of the most difficult phones to get working remotely, in my opinion. For both security, stability and voice quality I would highly recommend a VPN.

As far as any other suggestions, while you have a lengthy post you didn’t tell us anything. The assertion you configured everything right is meaningless because if you did it would work. You also state you modified SIP.cnf If you are talking about Asterisk sip.conf you are way down the wrong path because global NAT must be configured in the SIP settings module within FreePBX.

Generically if you have your UDP RTP ports (you need to vastly lower the port range from default although some providers ignore this and send on any port they want) and UDP 5060 for SIP signalling forwarded you should be able to establish a SIP call. In your case you also have to forward UDP 69 for TFTP. This is a security mess because tftp is not authenticated so anyone can download you extension config, spoof your extension and make free calls (another reason to use VPN). If you must forward the ports you really need to harden the system and expose as little as possible to as few networks as possible.

Lastly when asking for help we always need to know your FreePBX version, Asterisk Version, OS if you installed it yourself or what distro you used it installed from ISO.

Forgive me for being vague. I’ve been getting a bit delusional staying up night after night trying to fix this haha.

Anyways here’s my basic info:
FreePBX 2.11
Release Date-04-22-13 (installed via ISO burned to DVD)

Asterisk 1.8 on CentOS 6.3

WinAgents TFTP Version

SIP Firmware Version 8.12 (Yes, they’re the P0S3 files)

Other notes: Global NAT is configured within FreePBX GUI. UDP 69 is forwarded to TFTP and the range is 5060-5061. The RTP is configured from 10000-20000, which I think is default. The files I was speaking of were SIPDefault.cnf and SIP.cnf. they are the config files for the 7940/7960 that reside on the TFTP.

I was actually able to fix the phones inside the office. All I had to do was edit the two SIP files described above to enable NAT, enable NAT Recieved Processing, and define a NAT address. The NAT address is the external IP to the Asterisk server. (69.xx.xxx.43). Once I did that, incoming and outgoing calls worked perfectly and call quality was amazing. (Much better than their previous CallManager setup. Constant voice echo and call drops). Also, DHCP is working and enabled on all phones.

I am still having the same problem as before now. Phone connects to TFTP, but download times out and phone displays “Phone Unprovisioned”. On the external phone SIP.cnf files, I have enabled NAT and defined the address using the same one described above. I also have proxy register enabled on the phone and in the SIP.cnf file. Also the proxy address #1 in that file is the external Asterisk server address. Unlike the phones in the office, which use the local address to the Asterisk server.

Here’s links to my SIPDefault.cnf anf SIPmacaddress.cnf files:

All help is very much appreciated. Thanks in advance!!!

Please explain to me how you arrived at the conclusion that a VPN improves voice quality. Hint, it doesn’t.

Hint, yes it does, in several ways. 1st, like IAX2 it encapsulates the media and signalling into a single session. This improves jitter and some latency and makes it possible to assign end to end QoS policies.

So you have end to end QoS over the internet…like MPLS? I bow before you. What about the 99.999% of us who don’t?

I don’t use IAX and not sure how you came up with that jitter theory but sounds like hogwash to me. Encapsulation is logical…not a dedicated circuit unless of course you DO have something like a dedicated circuit or your own backbone or something.

No, I do not have end to end QoS over the Internet. However if you keep the tunnel below the minimum bandwidth established over a reasonable profiling time then you can create meaningful policies within the tunnel.

If the packet loss or jitter are impaired the VPN can’t make up for that.

If you do not have end to end control then you do not have any QoS control. Full stop. All a VPN does is add more overhead and therefore more potential jitter, latency, lost packets.

I guess I am dumb and you are going to have to draw me a diagram or explain it in lay mans terms how a VPN with no QoS is going to make VoIP better. I am anxiously waiting and eager to learn this amazing new concept you have opened my eyes to.

Whether or not this argument of external VoIP phones working better on VPN is true, that is not an option for me. As mustardman said, VPN just adds more overhead.

I’m beginning to wonder if this is a NAT issue. The phones on the inside of the network have the external IP address of the Asterisk server defined for the NAT address. They work fine using that address, but the phones on the outside of the network do not. Should the NAT address for the external phones be something different? For example, maybe it should be the external address of the router each specific external user is on in their own office? I also saw a forum post where one guy said hey used the address of the phone itself for the NAT address on the external phones. I guess I will try those options out tomorrow and see if it works. Fingers crossed. I am only guessing at this point.

BTW. All of my specifics are in post #4. I just replied to SkykingOH, so it didn’t go to the bottom. Sorry =/.

Sorry for the tangent. If you are using FreePBX (not clear to me if you are) then install Asterisk SIP settings module. All the global NAT settings are in there. If not then set NAT=yes everywhere. In sip.conf and for individual extensions. It almost always works if nat is always yes everywhere even if you don’t necessarily need it.

Yes, I am using FreePBX. Versions of all software I’m using are described in post #4. NAT is set to ‘Yes’ in the Asterisk SIP Settings menu option of FreePBX. IP Configuration is set to static IP and the external address is set to the external address of the Asterisk server. I have ‘nat_enable’ and ‘nat_recieved_processing’ set to 1 in both the SIPDefault.cnf and SIPmacaddress.cnf. I also have NAT enabled in each phone’s settings. The NAT address on the phone and in both of those configuration files is set to the external address of the Asterisk server as well. I am completely dumbfounded as to why this works for the internal phones, but not the externals. I didn’t have a chance to try anything today, but I rescheduled for tomorrow. Hopefully, I am looking over some silly setting in these configuration files.

It is very likely a nat issue. Next thing to check on the list would probably be your firewall. UDP 5059-5061 and UDP 10000-20000 should be opened and pointing to the server. If the router has SIP ALG feature try enable or disable. If it’s a Dlink router throw it away and get something that is not a piece of crap that doesn’t work half the time.

Those ports you mentioned are opened and pointing to the server. I will check and see if that option SIP ALG is available. Also, its a Cisco and I would never recommend Dlink to anyone. Especially not my best client who has enough of a budget to buy quality hardware. Thanks for all of your help mustardman! Much appreciated my friend!! I’ll follow up after or during work this coming morning.

I mention the Dlink because I got one for testing recently and I could not get SIP to work through it. It also has a SIP ALG feature which is useless or doesn’t work. The only router I have ever run into where I could not get SIP to work no matter what I did. Complete junk.

No SIP ALG option ws available. Now I’m starting to get real nervous. I have to get this done. I am about to go nuts lol.

No SIP ALG is good, you always want them off

I just realized something. Do you have sip_nat.conf configured or alternatively did you set up the internal/external IP’s in Asterisk SIP settings module?