For a long time I had a working FreePBX, but now

it just doesn’t work anymore! :’-/

I don’t know where to start. Well I try:

The problems started with adding an pjsip extension with a new incoming route. Some other extensions can’t register anymore. I tried a lot of things, but nothing helped. Then I pulled out my BRI-PCI-Card started the box, shut it down put back the BRI-PCI-Card, started again and now the extensions could register again. After some time, they coudn’t register again (Aastra/Mitel 6737i says “no service”). There seem to be authenticating problems. I deleted the extension, created new ones. It worked again for a few minutes, then again, no possibility to register, even though all the credentials were correct. Some phones of other brands could register.

Now they can register, but as soon as I try to place a call, the phone disconnect from pbx and and says “failed call” but the call is continuing in the background or on the server. The phone automatically disconnects, the freepbx-box doesn’t. Sometimes it works perfect, calls from extensions to extensions or external calls. Also sometimes the calls from outside comes in. But only sometimes.

I haven’t changed anything on the firewall, router. Disabled firewall from freepbx too. Maybe it’s a trunk problem? I got a sip and a dahidi trunk.

I know, you can’t tell me anything with this info, you need the logs. But please, can you tell me where to start finding the problem(s) and which logs you need?

Everything WAS working perfectly and all of a sudden it stopped working. Perhaps it was because of an FreePBX or/and a phone firmware upgrade…

Thanks so much for any help with this.

if you have a backup of the system when it was working fine, i would roll back to that version unless you have a lot of time to debug this.

a few details that you might want to provide are the freepbx version, the patch version and the asterisk verison.

you said this started when you added a pjsip extension. were you using pjsip for all extensions or were you using chansip and this was the first pjsip extension.

Unfortunately, I don’t have a backup, so this option is no option. My mistake, I will do better in future :-).

I have FreePBX Version 13.0.163 and Asterisk Version 12.8.1 installed.

I only had pjsip extensions on this box, from the beginning. Maybe important, I’ve upgraded the box some time ago, I think from the FreePBX 12 to 13. I only have a sip (chan_sip?) trunk, I don’t know if that’s important.

you will then have to look at the log files to see if you can get a hint as to why the phones are dropping offline. did you make any changes to your router? this feels like a router issue - what router are you using or is the pbx directly connected to the internet?

To start, you’re trying to solve too many problems at once. Slow down and solve one problem at a time.

Log into the system at the console.

Open the log file with "tail -F /var/log/asterisk/full | more ". This is the “full” log of what’s happening in your system. The Aastra phones are connecting via SIP, so watch one of the log in.

If they are logging in, then out, then in, then out, then in too quickly, fail2ban can pick them up as hack attempts and lock them out. This can take a few minutes, but it sounds like what you are experiencing.

Next - your incoming route. I assume it’s tied to a phone number at an TSP, right? Set up the trunk, make sure it’s working. Do not set up the inbound route yet - let the call go to your “any DID/anyCID” route and make sure it’s working OK. This will also give you the actual DID number your TSP is sending you so you can set up the inbound route correctly.

Next, set your PJ-SIP. Double check the port PJ-SIP is using (typical values include 5060, 5160, and 5061). You could also be setting it to something really non-standard, which is all cool. Get the phone working with an extension.

Next, set up your Inbound Route using the number your TSP is sending the call to. Match it accurately and send that call to the phone you just set up.

Anyone can eat an elephant - you just have to do it one bite at a time.

As I already tried to have a lot of looks at the log files, but wasn’t wise enough to extract the problems and find solutions, I try to post some of the messages here. Maybe someone can help me out.

It often says “unauthorized”, error 401. But I already checked the credentials so many times - they are fine.
As soon as I delete and “quick create” the extension(s) new and copy the old password, there are able to connect for some time. If I just “Add Extension” (PJSIP) it can’t connect, what I think it’s weird, because I fill in all necessary fields (as far as I can see) by hand. I can’t find out any difference to the “quick created” extension(s)…

No, I haven’t made any changes to my router. I am using pfsense with NAT. It worked for over 1 year with different DID and a sip and dahidi trunk almost perfectly.

OK, one problem at a time :-).

Thanks for your hint. I opened the log the way you told me. I found this one with one of the extension which isn’t working:

[2016-08-04 14:19:04] NOTICE[30775] res_pjsip/pjsip_distributor.c: Request from ‘“S. Main” sip:[email protected]’ failed for
’’ (callid: [email protected]_168_1_45) - No matching endpoint found
[2016-08-04 14:19:04] SECURITY[11782] res_security_log.c: SecurityEvent=“InvalidAccountID”,EventTV=“2016-08-04T14:19:04.354+0200”,Seve
rity=“Error”,Service=“PJSIP”,EventVersion=“1”,AccountID=“1000”,SessionID=“[email protected]_168_1_45”,LocalAddress=“IPV4/UDP/
[2016-08-04 14:19:04] SECURITY[11782] res_security_log.c: SecurityEvent=“ChallengeResponseFailed”,EventTV=“2016-08-04T14:19:04.354+020
0”,Severity=“Error”,Service=“PJSIP”,EventVersion=“1”,AccountID="",SessionID=“[email protected]_168_1_45”,LocalAddress=“IPV4/UDP/1”,RemoteAddress=“IPV4/UDP/”,Challenge=“1470313144/6d64fa96949864887c65721c880ee6f5”,Response=“48a61c1
[2016-08-04 14:19:04] VERBOSE[30775] res_pjsip_logger.c: <— Transmitting SIP response (550 bytes) to UDP: —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP;rport=5060;received=;branch=z9hG4bKcf09332f99d0ae7a8e3737cc2210a1c1
Call-ID: [email protected]_168_1_45
From: “S. Main” sip:[email protected];tag=1782985615
To: “S. Main” sip:[email protected];tag=z9hG4bKcf09332f99d0ae7a8e3737cc2210a1c1
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1470313144/6d64fa96949864887c65721c880ee6f5”,opaque=“1a73709a379b7b36”,algorithm=md5
Server: FPBX-13.0.163(12.8.1)
Content-Length: 0

I put the phone ip’s to the whitelist of fail2ban, I still get the error above.

I have two differed DID-Ranges, one connected to a dahidi interface/trunk, one is a sip trunk. Is this a TSP? The trunks are both working, yes. I can see calls coming in on asterisk, too. That’s fine so far.

One question at this point: Does it make a difference, if I set up the sip trunk as CHAN_sip oder PJ-SIP trunk? Is it just a question of handling it in freepbx or on my provider side? I mean for the trunks, for the extensions I know it’s only an internal question of which driver is taken.


The difference it makes is that PJ-SIP and Chan-SIP use different signaling ports for things to connect to the system.

So, for example, if your Telephony Service Provider (TSP) is connecting to your PBX using Chan-SIP and port 5060 (this is an example), then you would have to have PJ-SIP running on NOT port 5060, but on port 5061, or port 5160, or … (you get the idea, right?). Similarly, if you are running PJ-SIP on 5060 (a common configuration when you install a Distro) then Chan-SIP would be running on NOT 5060, but will be running on port 5061, or port 5160, or … (once again, anything but 5060).

It might also make a difference to your provider if they do not support PJ-SIP connections. Some TSPs use IP-based security (instead of a login credential or registration string). These folks will not support PJ-SIP since it doesn’t support connections that are not authenticated.

So, the difference it makes for your TSP is they need to know how to get to your *-SIP connection. If you are asking them to connect to you using Chan-SIP on port 5060, they need to be communicating with your PBX on port 5060. If you are communicating with them (sending them calls) on port 5060, then your trunk and PJ-SIP/Chan-SIP need to be set up that way.

The choice of the driver is based on the port you are connecting to - if you are connecting to port 5060 with Chan-SIP (to support your TSP), then the phones will also need to talk to 5060 using Chan-SIP if you want to use port 5060. If you want them to connect via PJ-SIP, then you need to set the phone’s configuration and authentication to port 5061, or port 5160, or … (see what I did there? :slight_smile: )

Remember, the incoming ports you use are up to you, but it is part of the negotiation process between you and your SIP phones, your TSP, and the script kiddies that are trying to steal your service. How you configure the ports for the various SIP drivers will determine how your connecting systems will contact your machine, which will drive the choice of driver.

are you running the freepbx firewall? if yes is your internal network on the trusted list?

Thanks for your helpful explanations on trunks, Chan-SIP and PJ-SIP considering the sip trunk!

I’ve tried it with firewall switched on and off - same behavior. And yes, all my internal networks are on the trusted list.

I still got this “No matching endpoint found”-Error. I’ve tried to delete and recreate the extension 1000 serveral times, but I can’t connect anymore. If I go to the reports-> Asterisk Info I see this under Chan_Sip Info:

Chan_Sip Peers

Name/username Host Dyn Forcerport Comedia ACL Port Status Description
991000 (Unspecified) D Yes Yes A 0 UNKNOWN
991099 (Unspecified) D Yes Yes A 0 UNKNOWN
991100 (Unspecified) D Yes Yes A 0 UNKNOWN
991101 (Unspecified) D Yes Yes A 0 UNKNOWN
991102 (Unspecified) D Yes Yes A 0 UNKNOWN
991110 (Unspecified) D Yes Yes A 0 UNKNOWN
991120 (Unspecified) D Yes Yes A 0 UNKNOWN
995000 (Unspecified) D Yes Yes A 0 UNKNOWN
995001 (Unspecified) D Yes Yes A 0 UNKNOWN
995090 (Unspecified) D Yes Yes A 0 UNKNOWN
995099 (Unspecified) D Yes Yes A 0 UNKNOWN
995100 (Unspecified) D Yes Yes A 0 UNKNOWN
995200 (Unspecified) D Yes Yes A 0 UNKNOWN
995300 (Unspecified) D Yes Yes A 0 UNKNOWN
999000 (Unspecified) D Yes Yes A 0 UNKNOWN
999001 (Unspecified) D Yes Yes A 0 UNKNOWN
999998 (Unspecified) D Yes Yes A 0 UNKNOWN
999999 (Unspecified) D Yes Yes A 0 UNKNOWN
S_OUT/123456789 XXX.XXX.XXX.XXX Yes Yes 5060 Unmonitored
19 sip peers [Monitored: 0 online, 18 offline Unmonitored: 1 online, 0 offline]

I think that is pretty weird, because I only have PJ-SIP Extensions installed. Those listed extensions above are the correct numbers of my extensions, but without the prefix “99”.

Under the section “Chan_PJSip Info” there are all Endpoints listed, but not this 1000.

I don’t get it.

Thanks for any additional hints.

Today I monitored the following behavior which may perhaps help to narrow down the exact problem of my FreePBX system:

When I ever I do (maybe only certain) updates and restart the system, there are some and everytime the same extensions that doesn’t work anymore (“no service”/not registering with error 401 on Aastra/Mitel phones, not registering on Siemens phones). Some extensions are not affected and always work, even after upgrades of FreePBX modules and restarts of the FreePBX Server.

I found out two “workarounds” to get the extensions working again / letting the phones register again.

The fist one as described above: Delete the extension(s) and correspondent user(s) and “quick create” a new one. (only “quick create” will do the job, otherwise I still got the above described misbehavior).

The second one I found out today is: Extension -> Advanced -> Change SIP Driver -> Change To CHAN_SIP Driver -> Apply Config -> Change To CHAN_PJSIP Driver -> Apply Config. (if I click “Submit” between it doens’t work)

And voilà, the extension is working again.

Maybe this helps others to help me? It’s pretty annoying to do this after an upgrade and reboot of the server, as it affects about 10 extensions.

Thanks so much in advance for your help!

had somewhat similar issue - after switching to and back from pjsip fail2ban banned endpoint IP

sudo fail2ban-client status ’ to get proper jail names
sudo fail2ban-client -i
status asterisk-tcp ’ or other jails you might have - it will show you banned IPs
status asterisk-udp
set asterisk-tcp unbanip ip.ip.ip.ip
set asterisk-udp unbanip ip.ip.ip.ip

Thanks for your help. I tried this, but I didn’t had any banned IPs on my 6 jails…