Need some help, first time deploying freepbx 15 and also pjsip. Everything works okay internally but remote phones are causing me an issue. There is no audio either direction from the remote phone until you place the call on hold and resume it. Then it works fine. This is usually a NAT issue somewhere but with PJSIP I don’t have any NAT options like with chan_sip.
On the firewall, port 5060, 5061 and 10000-20000 are forwarded to the PBX. I have the responsive firewall on the PBX for PJSIP. Everything registered fine.
From the remote phone, the echo test works fine and calls to voicemail. Calls out ring but no audio until resume from hold.
Extensions all have the default except
Display Name
Secret
Max contacts (3)
Asterisk Dial options (tr)
Trunks (all default except)
Trunk Name (Username)
PJSIP Settings
Username (Username)
Secret (password)
Sip Server (server dns name)
Sip Port (5060)
Context (from-trunk)
Advanced Settings
From Domain (server ip address)
From User (Username)
I have tried this with two different PBX installs on two networks (Meraki firewall and cisco 927 router). Same issue.
For the extension, try setting Direct Media to No.
If that’s not it, at the Asterisk command prompt, type pjsip set logger on
make a test call, paste the relevant section of the Asterisk log at pastebin.freepbx.org and post the link.
My first guess would be a router misconfiguration where you are not routing the inbound call’s RTP (UDP 10000-20000) is not set up to send the incoming call’s audio to the server. Once the call is put on hold, the outbound audio starts up and when you come off hold, the audio path is available through the external router.
My second guess would be to look at the Direct Media settings if your extensions are remote. Since Asterisk is a Back to Back User Agent, it works best when it’s in charge of both the signalling and the audio.
so with the PBX behind the Meraki mx (there is no SIP ALG on this device) I added in External IP and local Subnet options at the bottom of “Settings > Asterisk SIP Setting > SIP Settings [chan_pjsip] tab”
This worked. I have audio on the initial call.
I have turned off SIP ALG on cisco 927 router (command “no ip nat service sip udp port 5060” ) and added in the settings above but still the same issue.
Direct Media is set to no in both cases. I will make a test call shortly and paste up the details
<--- Received SIP response (579 bytes) from UDP:222.222.222.222:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.1.222.2:5060;branch=z9hG4bKPj724db8ef-128d-4e12-908b-cee60d300c09;received=10.1.222.2;rport=5060
So the trunking provider is ostensibly saying that they received your INVITE from 10.1.222.2, which is normally impossible because that’s not a routable address.
There are two possibilities:
There is a SIP ALG in the path (that rewrote the incoming Via header), despite your having turned it off in the 927. Please check the running configuration to be sure it’s really off. What is the WAN connection (on 927 it can be Ethernet, VADSL or LTE, depending on specific model)? Is the WAN address your public IP, or is there another layer of NAT in the picture? Can you capture traffic on the WAN interface to determine whether the 927 is altering SIP packets?
If the trunking provider is also your ISP and is supplying your 10.1.222.2 address from their equipment (could be onsite or remote), it’s possible that there is a non-NAT path from 10.1.222.2 to 222.222.222.222, in which case the INVITE should be presenting 10.1.222.2 in the Contact header and SDP. However, I believe this is implausible because:
Starting at line 512:
<--- Received SIP request (797 bytes) from UDP:37.49.229.237:21262 --->
INVITE sip:[email protected]:5060;transport=UDP SIP/2.0
This is an attempted attack hosted in the Netherlands. Your firewall should have blocked it, but for the purpose of this analysis, it’s good that it didn’t! Your private IP address is in the host field of the INVITE, but the attacker would have no way of knowing what it is. Therefore, it’s almost certain that a SIP ALG somewhere in the path modified the packet. Find that ALG and get rid of it.
Apologies, the router had rebooted and enabled the SIP ALG again as I hadn’t saved it. I have updated it now and issue is still there, updated log below.
Calls from the remote extension to internal extensions work fine, its only when the call has to be back out. Internal sets can call out fine.
Well, I see a few things that look strange (public IPs from the extension, repeated re-invites on the trunk, strange codec order), but nothing that should result in no audio.
I recommend first checking / adjusting some obvious stuff. If that doesn’t fix it, there are two approaches:
Capture a failing call with tcpdump, look at it with Wireshark, understand what is wrong with the RTP (missing, wrong port, wrong codec, etc.) and proceed from there.
Try to correct the strange behavior, hoping that will fix it.
To start, please confirm that the UDP port range 10000 to 20000 is forwarded in the 927 to the private address of the PBX. Also, for the extension, RTP Symmetric, Rewrite Contact and Force rport are all Yes, and Direct Media is No. For the trunk, Direct Media is No and RTP Symmetric is Yes.
If no luck, change the codec list for both extension and trunk to be only alaw and ulaw, in that order.
If still no luck, paste another log and maybe something will stand out. BTW, please don’t set pastes to expire – the history of these threads helps both future readers and the developers.
Thanks for your help with this. Finally got it sorted. Forwarding issue.
I had used the commands from another site to forward the range of ports on a cisco ios router
ip nat pool PORTFWD 10.1.222.2 10.1.222.2 netmask 255.255.255.0 type rotary access-list 100 permit udp any any range 10000 20000 ip nat inside destination list 100 pool PORTFWD
This doesn’t work. I reduced the range of udp port to 120 on the PBX and softphone and manually entered the port forwarding (pasted in 120 entries) and it worked.