Fast busy and No Audio issues between remote sites over site-to-site VPN

Hi All,

I’ve read through the forums and haven’t been able to solve my problem so I’m hoping that you can point me in the direction of what logs I should be looking at to fix my issue. I have one primary and three remote sites that are connected using private IP address spaces and connect via a site-to-site VPN. I’ve confirmed connectivity with all the phones getting a dial tone from the FreePBX (15) but I get fast busy and no audio issues from two of my remote sites.

I’ve made sure all of my IP ranges are in the firewall (tried both trusted and bypass) and insured that the ranges are also in the SIP configuration. I’ve tried multiple configurations with NAT but nothing seems to work.

Any ideas what I’m missing?

Thanks!

Here’s the testing matrix and network diagram.
image

sngrep would be a good tool to start with.

Well there’s a useful tool. Looking through it now. Thanks.

I assume this is SIP. SIP phones fake dialtone without doing anything to start the session so it is of very little diagnostic value. I assume fast busy is because of an Asterisk DIALSTATUS of CONGESTION. That is pretty much the catch all failure status. You need to look at the logs to find out more specific reasons

In Asterisk SIP Settings, confirm that External Address and Local Networks are correctly set. For your setup, I recommend putting
10.0.0.0 / 8
in Local Networks, so it will handle new sites if any are added.
If you change these settings, after Submit and Apply Config you must restart Asterisk.

As you have described your system, there is no NAT visible to the phones; turn off any NAT settings in them. pjsip should figure out NAT automatically. You can leave RTP Symmetric, Rewrite Contact and Force rport all Yes (the defaults) and it should work whether the extension is behind NAT or not.

I wasn’t aware about the dial tone issue…thanks for pointing it out.

As for the logs…I’ve been working through them…just a slow slog as I’m learning what things are as I go.

Thanks for the information. I was curious about the NAT issue given my setup. I’m concerned about opening the local networks to the 10.0.0.0/8 since I have data networks on those and I’d hate to have the server get compromised and abused. If I continue to have issues, I’ll give it a go (short-term) though.

Okay…here’s an update.

We made some changes to the network layer and vlans between the main site and the subsites and everything started working.

I moved the test phones out of the server closet and patched the same switch ports to a nearby room. The phones powered up but got an unregistered message and showed red (x)s on the display. The phones wouldn’t connect, but the server was seeing registration attempts with unauthorized messages in sngrep.

Left it over night and the phones were showing green checkmarks and I was able to make calls between sites as I would expect.

Is there always a delay in registration and connection or is something still screwed up in the config? Waiting 24 hours to get an extension online is unreasonable (IMO)…

Thanks for the suggestions…

A normal registration is:
Device sends REGISTER request.
PBX sends 401 UnAuthorized.
Device resends REGISTER with Authorization header.
PBX sends 200 OK.

If you are seeing repeated 401 responses, it is most likely that the device is not receiving the 401 and is retransmitting REGISTER. You can confirm this by a lack of Authorization headers in the repeated REGISTERs.

That is definitely not normal. If you are seeing repeated registration attempts that fail, confirm that the PBX is sending the 401 to the correct IP address and port. If so, capture traffic at the device to see whether something in your network is blocking or misdirecting the responses.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.